amadey | 333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lenin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/memory/4952-2123-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4952-2124-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4952-2126-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4952-2127-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	4212	rundll32.exe
22	4472	rundll32.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1876	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lenin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lenin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 25 IoCs

pid	Process
212	explorha.exe
4672	lenin.exe
2892	InstallSetup8.exe
1596	InstallSetup8.exe
3500	syncUpd.exe
2576	BroomSetup.exe
4896	4767d2e713f2021e8fe856e3ea638b58.exe
5020	FirstZ.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
3252	explorha.exe
4632	InstallSetup8.exe
4232	csrss.exe
5012	injector.exe
4084	reakuqnanrkn.exe
1860	windefender.exe
396	windefender.exe
4928	CAFHIJDHDG.exe
2504	explorha.exe
656	InstallSetup8.exe
4076	explorha.exe
2328	InstallSetup8.exe
4312	explorha.exe
684	InstallSetup8.exe
4852	explorha.exe
2848	InstallSetup8.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	lenin.exe
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Wine	explorha.exe

Loads dropped DLL 8 IoCs

pid	Process
660	rundll32.exe
4212	rundll32.exe
1596	InstallSetup8.exe
1596	InstallSetup8.exe
4472	rundll32.exe
1596	InstallSetup8.exe
3500	syncUpd.exe
3500	syncUpd.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001ac1d-208.dat	upx
behavioral2/memory/2576-210-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral2/files/0x000600000001ac3e-1953.dat	upx
behavioral2/files/0x000600000001ac3e-1962.dat	upx
behavioral2/files/0x000600000001ac3e-1968.dat	upx
behavioral2/memory/1860-1970-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4952-2119-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2118-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2121-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2122-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2120-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2123-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2124-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4952-2127-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallSetup8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000018001\\InstallSetup8.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CAFHIJDHDG.exe"	CAFHIJDHDG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\lenin.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000010001\\lenin.exe"	explorha.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
50	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3856	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
212	explorha.exe
3252	explorha.exe
2504	explorha.exe
4076	explorha.exe
4312	explorha.exe
4852	explorha.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4084 set thread context of 1560	4084	reakuqnanrkn.exe	187
PID 4084 set thread context of 4952	4084	reakuqnanrkn.exe	191

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	4767d2e713f2021e8fe856e3ea638b58.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
File opened for modification	C:\Windows\rss	4767d2e713f2021e8fe856e3ea638b58.exe
File created	C:\Windows\rss\csrss.exe	4767d2e713f2021e8fe856e3ea638b58.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3120	sc.exe
4304	sc.exe
2376	sc.exe
3476	sc.exe
2520	sc.exe
2124	sc.exe
4112	sc.exe
4280	sc.exe
4508	sc.exe
4632	sc.exe
2172	sc.exe
1692	sc.exe
3972	sc.exe
2828	sc.exe
4352	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000001ac08-146.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4648	schtasks.exe
1048	schtasks.exe
2912	schtasks.exe
2184	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	windefender.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4964	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3856	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
3856	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
212	explorha.exe
212	explorha.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
4212	rundll32.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
3500	syncUpd.exe
3500	syncUpd.exe
1076	powershell.exe
1076	powershell.exe
1076	powershell.exe
4896	4767d2e713f2021e8fe856e3ea638b58.exe
4896	4767d2e713f2021e8fe856e3ea638b58.exe
3252	explorha.exe
3252	explorha.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
4008	4767d2e713f2021e8fe856e3ea638b58.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
316	powershell.exe
316	powershell.exe
316	powershell.exe
316	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
4248	powershell.exe
4248	powershell.exe
4248	powershell.exe
4248	powershell.exe
5012	injector.exe
5012	injector.exe
5012	injector.exe
5012	injector.exe
5012	injector.exe
5012	injector.exe
4232	csrss.exe
4232	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	4896	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeImpersonatePrivilege	4896	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeSystemEnvironmentPrivilege	4232	csrss.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeIncreaseQuotaPrivilege	3284	powershell.exe
Token: SeSecurityPrivilege	3284	powershell.exe
Token: SeTakeOwnershipPrivilege	3284	powershell.exe
Token: SeLoadDriverPrivilege	3284	powershell.exe
Token: SeSystemProfilePrivilege	3284	powershell.exe
Token: SeSystemtimePrivilege	3284	powershell.exe
Token: SeProfSingleProcessPrivilege	3284	powershell.exe
Token: SeIncBasePriorityPrivilege	3284	powershell.exe
Token: SeCreatePagefilePrivilege	3284	powershell.exe
Token: SeBackupPrivilege	3284	powershell.exe
Token: SeRestorePrivilege	3284	powershell.exe
Token: SeShutdownPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeSystemEnvironmentPrivilege	3284	powershell.exe
Token: SeRemoteShutdownPrivilege	3284	powershell.exe
Token: SeUndockPrivilege	3284	powershell.exe
Token: SeManageVolumePrivilege	3284	powershell.exe
Token: 33	3284	powershell.exe
Token: 34	3284	powershell.exe
Token: 35	3284	powershell.exe
Token: 36	3284	powershell.exe
Token: SeShutdownPrivilege	4768	powercfg.exe
Token: SeCreatePagefilePrivilege	4768	powercfg.exe
Token: SeShutdownPrivilege	5116	powercfg.exe
Token: SeCreatePagefilePrivilege	5116	powercfg.exe
Token: SeShutdownPrivilege	1320	powercfg.exe
Token: SeCreatePagefilePrivilege	1320	powercfg.exe
Token: SeShutdownPrivilege	3100	powercfg.exe
Token: SeCreatePagefilePrivilege	3100	powercfg.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeSecurityPrivilege	4508	sc.exe
Token: SeSecurityPrivilege	4508	sc.exe
Token: SeAssignPrimaryTokenPrivilege	1048	powershell.exe
Token: SeIncreaseQuotaPrivilege	1048	powershell.exe
Token: SeSecurityPrivilege	1048	powershell.exe
Token: SeTakeOwnershipPrivilege	1048	powershell.exe
Token: SeLoadDriverPrivilege	1048	powershell.exe
Token: SeSystemtimePrivilege	1048	powershell.exe
Token: SeBackupPrivilege	1048	powershell.exe
Token: SeRestorePrivilege	1048	powershell.exe
Token: SeShutdownPrivilege	1048	powershell.exe
Token: SeSystemEnvironmentPrivilege	1048	powershell.exe
Token: SeUndockPrivilege	1048	powershell.exe
Token: SeManageVolumePrivilege	1048	powershell.exe
Token: SeShutdownPrivilege	2336	powercfg.exe
Token: SeCreatePagefilePrivilege	2336	powercfg.exe
Token: SeShutdownPrivilege	4112	powercfg.exe
Token: SeCreatePagefilePrivilege	4112	powercfg.exe
Token: SeShutdownPrivilege	656	powercfg.exe
Token: SeCreatePagefilePrivilege	656	powercfg.exe
Token: SeShutdownPrivilege	5064	powercfg.exe
Token: SeCreatePagefilePrivilege	5064	powercfg.exe
Token: SeLockMemoryPrivilege	4952	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 212	3856	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe	74
PID 3856 wrote to memory of 212	3856	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe	74
PID 3856 wrote to memory of 212	3856	333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe	74
PID 212 wrote to memory of 4672	212	explorha.exe	75
PID 212 wrote to memory of 4672	212	explorha.exe	75
PID 212 wrote to memory of 4672	212	explorha.exe	75
PID 212 wrote to memory of 2892	212	explorha.exe	76
PID 212 wrote to memory of 2892	212	explorha.exe	76
PID 212 wrote to memory of 2892	212	explorha.exe	76
PID 2892 wrote to memory of 4648	2892	InstallSetup8.exe	77
PID 2892 wrote to memory of 4648	2892	InstallSetup8.exe	77
PID 2892 wrote to memory of 4648	2892	InstallSetup8.exe	77
PID 212 wrote to memory of 660	212	explorha.exe	79
PID 212 wrote to memory of 660	212	explorha.exe	79
PID 212 wrote to memory of 660	212	explorha.exe	79
PID 660 wrote to memory of 4212	660	rundll32.exe	80
PID 660 wrote to memory of 4212	660	rundll32.exe	80
PID 4212 wrote to memory of 376	4212	rundll32.exe	81
PID 4212 wrote to memory of 376	4212	rundll32.exe	81
PID 4212 wrote to memory of 2296	4212	rundll32.exe	83
PID 4212 wrote to memory of 2296	4212	rundll32.exe	83
PID 2892 wrote to memory of 1596	2892	InstallSetup8.exe	85
PID 2892 wrote to memory of 1596	2892	InstallSetup8.exe	85
PID 2892 wrote to memory of 1596	2892	InstallSetup8.exe	85
PID 1596 wrote to memory of 3500	1596	InstallSetup8.exe	86
PID 1596 wrote to memory of 3500	1596	InstallSetup8.exe	86
PID 1596 wrote to memory of 3500	1596	InstallSetup8.exe	86
PID 212 wrote to memory of 4472	212	explorha.exe	87
PID 212 wrote to memory of 4472	212	explorha.exe	87
PID 212 wrote to memory of 4472	212	explorha.exe	87
PID 1596 wrote to memory of 2576	1596	InstallSetup8.exe	88
PID 1596 wrote to memory of 2576	1596	InstallSetup8.exe	88
PID 1596 wrote to memory of 2576	1596	InstallSetup8.exe	88
PID 2576 wrote to memory of 4360	2576	BroomSetup.exe	89
PID 2576 wrote to memory of 4360	2576	BroomSetup.exe	89
PID 2576 wrote to memory of 4360	2576	BroomSetup.exe	89
PID 4360 wrote to memory of 2492	4360	cmd.exe	91
PID 4360 wrote to memory of 2492	4360	cmd.exe	91
PID 4360 wrote to memory of 2492	4360	cmd.exe	91
PID 4360 wrote to memory of 1048	4360	cmd.exe	92
PID 4360 wrote to memory of 1048	4360	cmd.exe	92
PID 4360 wrote to memory of 1048	4360	cmd.exe	92
PID 2892 wrote to memory of 4896	2892	InstallSetup8.exe	93
PID 2892 wrote to memory of 4896	2892	InstallSetup8.exe	93
PID 2892 wrote to memory of 4896	2892	InstallSetup8.exe	93
PID 4896 wrote to memory of 1076	4896	4767d2e713f2021e8fe856e3ea638b58.exe	95
PID 4896 wrote to memory of 1076	4896	4767d2e713f2021e8fe856e3ea638b58.exe	95
PID 4896 wrote to memory of 1076	4896	4767d2e713f2021e8fe856e3ea638b58.exe	95
PID 2892 wrote to memory of 5020	2892	InstallSetup8.exe	97
PID 2892 wrote to memory of 5020	2892	InstallSetup8.exe	97
PID 4008 wrote to memory of 4080	4008	4767d2e713f2021e8fe856e3ea638b58.exe	102
PID 4008 wrote to memory of 4080	4008	4767d2e713f2021e8fe856e3ea638b58.exe	102
PID 4008 wrote to memory of 4080	4008	4767d2e713f2021e8fe856e3ea638b58.exe	102
PID 4008 wrote to memory of 4540	4008	4767d2e713f2021e8fe856e3ea638b58.exe	105
PID 4008 wrote to memory of 4540	4008	4767d2e713f2021e8fe856e3ea638b58.exe	105
PID 4540 wrote to memory of 1876	4540	cmd.exe	107
PID 4540 wrote to memory of 1876	4540	cmd.exe	107
PID 4008 wrote to memory of 1320	4008	4767d2e713f2021e8fe856e3ea638b58.exe	108
PID 4008 wrote to memory of 1320	4008	4767d2e713f2021e8fe856e3ea638b58.exe	108
PID 4008 wrote to memory of 1320	4008	4767d2e713f2021e8fe856e3ea638b58.exe	108
PID 4008 wrote to memory of 316	4008	4767d2e713f2021e8fe856e3ea638b58.exe	110
PID 4008 wrote to memory of 316	4008	4767d2e713f2021e8fe856e3ea638b58.exe	110
PID 4008 wrote to memory of 316	4008	4767d2e713f2021e8fe856e3ea638b58.exe	110
PID 4008 wrote to memory of 4232	4008	4767d2e713f2021e8fe856e3ea638b58.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe
"C:\Users\Admin\AppData\Local\Temp\333a556b9edba0a849275d9f35e85c00e40b258d29036d0d7394f44d7eb569fd.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe
    "C:\Users\Admin\AppData\Local\Temp\1000010001\lenin.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN InstallSetup8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4648
  - - C:\Users\Admin\AppData\Local\Temp\1000151001\InstallSetup8.exe
      "C:\Users\Admin\AppData\Local\Temp\1000151001\InstallSetup8.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3500
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAFHIJDHDG.exe"
        6⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\CAFHIJDHDG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CAFHIJDHDG.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\CAFHIJDHDG.exe
        8⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000152001\4767d2e713f2021e8fe856e3ea638b58.exe"
        5⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:1876
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Modifies data under HKEY_USERS
        
        PID:2464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:2912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:2184
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\1000153001\FirstZ.exe
      "C:\Users\Admin\AppData\Local\Temp\1000153001\FirstZ.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:5020
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4892
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4352
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2172
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4304
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2124
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1692
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:3120
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        5⤵
        Launches sc.exe
        
        PID:2376
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:4112
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:4280
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        5⤵
        Launches sc.exe
        
        PID:3476
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\104443672357_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4472

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
1⤵
- Executes dropped EXE
PID:4632

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4084
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1300
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4872
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2520
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3972
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4632
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1560
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4952

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:396

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2504

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
1⤵
- Executes dropped EXE
PID:656

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4076

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4312

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
1⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4852

C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
C:\Users\Admin\AppData\Local\Temp\1000018001\InstallSetup8.exe
1⤵
- Executes dropped EXE
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion