amadey | 3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402

Virtualization/Sandbox Evasion

Processes:

amadka.exeexplorha.exeb7b7e4b2a6.exe3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exeexplorgu.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b7b7e4b2a6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow pid process

51 440 rundll32.exe
69 5364 rundll32.exe
89 5548 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

944 netsh.exe
4664 netsh.exe
5348 netsh.exe

flow	pid	process
51	440	rundll32.exe
69	5364	rundll32.exe
89	5548	rundll32.exe

pid	process
944	netsh.exe
4664	netsh.exe
5348	netsh.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exerandom.exeamadka.exeexplorha.exeb7b7e4b2a6.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b7b7e4b2a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b7b7e4b2a6.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

chckik.exeexplorgu.exeamadka.exeexplorha.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	chckik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	amadka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 19 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerandom.exeamadka.exeTeamFour.exeexplorha.exealex1234.exeb7b7e4b2a6.exepropro.exeTraffic.exe987123.exeyoffens_crypted_EASY.exelumma21.exelummalg.exefile300un.exechckik.exeISetup3.exechrosha.exe

pid	process
1124	explorgu.exe
3416	osminog.exe
1016	goldprimeldlldf.exe
4696	random.exe
60	amadka.exe
4732	TeamFour.exe
2032	explorha.exe
3152	alex1234.exe
5264	b7b7e4b2a6.exe
5288	propro.exe
5308	Traffic.exe
5636	987123.exe
5984	yoffens_crypted_EASY.exe
6104	lumma21.exe
5564	lummalg.exe
4184	file300un.exe
5616	chckik.exe
6032	ISetup3.exe
444	chrosha.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

b7b7e4b2a6.exe3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exeexplorgu.exerandom.exeamadka.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	b7b7e4b2a6.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	amadka.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	explorha.exe

Loads dropped DLL 7 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeyoffens_crypted_EASY.exerundll32.exerundll32.exe

pid process

1820 rundll32.exe
440 rundll32.exe
5364 rundll32.exe
5984 yoffens_crypted_EASY.exe
5984 yoffens_crypted_EASY.exe
5404 rundll32.exe
5548 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1820	rundll32.exe
440	rundll32.exe
5364	rundll32.exe
5984	yoffens_crypted_EASY.exe
5984	yoffens_crypted_EASY.exe
5404	rundll32.exe
5548	rundll32.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\shTShpP9KRC2jHXOgudJWqP9.exe	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u4nk.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u4nk.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u4nk.1.exe	upx
C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorgu.exeexplorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000875001\\amadka.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b7b7e4b2a6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\b7b7e4b2a6.exe"	explorha.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

117 pastebin.com
119 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

183 api.myip.com
184 api.myip.com
188 ipinfo.io
189 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exeexplorgu.exeamadka.exeexplorha.exe

pid process

2520 3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
1124 explorgu.exe
60 amadka.exe
2032 explorha.exe

flow	ioc
117	pastebin.com
119	pastebin.com

flow	ioc
183	api.myip.com
184	api.myip.com
188	ipinfo.io
189	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

Processes:

goldprimeldlldf.exeosminog.exealex1234.exelummalg.exe

description	pid	process	target process
PID 1016 set thread context of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 3416 set thread context of 2336	3416	osminog.exe	RegAsm.exe
PID 3152 set thread context of 4736	3152	alex1234.exe	RegAsm.exe
PID 5564 set thread context of 6016	5564	lummalg.exe	RegAsm.exe

Drops file in Windows directory 4 IoCs

Processes:

3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exeamadka.exelumma21.exechckik.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
File created	C:\Windows\Tasks\explorha.job	amadka.exe
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe
File created	C:\Windows\Tasks\chrosha.job	chckik.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5624 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5624	sc.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3428	2336	WerFault.exe	RegAsm.exe
6112	5636	WerFault.exe	987123.exe
5276	5984	WerFault.exe	yoffens_crypted_EASY.exe
5624	6016	WerFault.exe	RegAsm.exe
5940	6032	WerFault.exe	ISetup3.exe
4580	4664	WerFault.exe	RegAsm.exe
4532	4664	WerFault.exe	RegAsm.exe
3908	2408	WerFault.exe	u4nk.0.exe
2352	1688	WerFault.exe	umc.0.exe
5292	5648	WerFault.exe	RegAsm.exe
1100	804	WerFault.exe	RSroEUIW1evzZmUu2c5wBZEC.exe
5240	5648	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

987123.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1100 schtasks.exe
4596 schtasks.exe
5276 schtasks.exe
5748 schtasks.exe

pid	process
1100	schtasks.exe
4596	schtasks.exe
5276	schtasks.exe
5748	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2200 PING.EXE

pid	process
2200	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exeexplorgu.exeamadka.exerundll32.exeexplorha.exepowershell.exerundll32.exeTeamFour.exeRegAsm.exe

pid	process
2520	3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
2520	3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
1124	explorgu.exe
1124	explorgu.exe
60	amadka.exe
60	amadka.exe
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe
2032	explorha.exe
2032	explorha.exe
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe
440	rundll32.exe
4284	powershell.exe
4284	powershell.exe
4284	powershell.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
5548	rundll32.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
4732	TeamFour.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe
2988	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

osminog.exeTeamFour.exepowershell.exeTraffic.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3416	osminog.exe
Token: SeDebugPrivilege	4732	TeamFour.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeBackupPrivilege	4732	TeamFour.exe
Token: SeSecurityPrivilege	4732	TeamFour.exe
Token: SeSecurityPrivilege	4732	TeamFour.exe
Token: SeSecurityPrivilege	4732	TeamFour.exe
Token: SeSecurityPrivilege	4732	TeamFour.exe
Token: SeDebugPrivilege	5308	Traffic.exe
Token: SeBackupPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe
Token: SeDebugPrivilege	2988	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exeamadka.exelumma21.exe

pid process

2520 3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
60 amadka.exe
6104 lumma21.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exegoldprimeldlldf.exeosminog.exerundll32.exerundll32.exeamadka.exealex1234.exeexplorha.exeRegAsm.exe

description	pid	process	target process
PID 1124 wrote to memory of 3416	1124	explorgu.exe	osminog.exe
PID 1124 wrote to memory of 3416	1124	explorgu.exe	osminog.exe
PID 1124 wrote to memory of 3416	1124	explorgu.exe	osminog.exe
PID 1124 wrote to memory of 1016	1124	explorgu.exe	goldprimeldlldf.exe
PID 1124 wrote to memory of 1016	1124	explorgu.exe	goldprimeldlldf.exe
PID 1124 wrote to memory of 1016	1124	explorgu.exe	goldprimeldlldf.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 1016 wrote to memory of 2988	1016	goldprimeldlldf.exe	RegAsm.exe
PID 3416 wrote to memory of 1872	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 1872	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 1872	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 3416 wrote to memory of 2336	3416	osminog.exe	RegAsm.exe
PID 1124 wrote to memory of 4696	1124	explorgu.exe	random.exe
PID 1124 wrote to memory of 4696	1124	explorgu.exe	random.exe
PID 1124 wrote to memory of 4696	1124	explorgu.exe	random.exe
PID 1124 wrote to memory of 60	1124	explorgu.exe	WerFault.exe
PID 1124 wrote to memory of 60	1124	explorgu.exe	WerFault.exe
PID 1124 wrote to memory of 60	1124	explorgu.exe	WerFault.exe
PID 1124 wrote to memory of 1820	1124	explorgu.exe	rundll32.exe
PID 1124 wrote to memory of 1820	1124	explorgu.exe	rundll32.exe
PID 1124 wrote to memory of 1820	1124	explorgu.exe	rundll32.exe
PID 1820 wrote to memory of 440	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 440	1820	rundll32.exe	rundll32.exe
PID 440 wrote to memory of 4540	440	rundll32.exe	netsh.exe
PID 440 wrote to memory of 4540	440	rundll32.exe	netsh.exe
PID 1124 wrote to memory of 4732	1124	explorgu.exe	TeamFour.exe
PID 1124 wrote to memory of 4732	1124	explorgu.exe	TeamFour.exe
PID 60 wrote to memory of 2032	60	amadka.exe	explorha.exe
PID 60 wrote to memory of 2032	60	amadka.exe	explorha.exe
PID 60 wrote to memory of 2032	60	amadka.exe	explorha.exe
PID 440 wrote to memory of 4284	440	rundll32.exe	powershell.exe
PID 440 wrote to memory of 4284	440	rundll32.exe	powershell.exe
PID 1124 wrote to memory of 3152	1124	explorgu.exe	alex1234.exe
PID 1124 wrote to memory of 3152	1124	explorgu.exe	alex1234.exe
PID 1124 wrote to memory of 3152	1124	explorgu.exe	alex1234.exe
PID 3152 wrote to memory of 4320	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4320	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4320	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 3152 wrote to memory of 4736	3152	alex1234.exe	RegAsm.exe
PID 2032 wrote to memory of 5264	2032	explorha.exe	b7b7e4b2a6.exe
PID 2032 wrote to memory of 5264	2032	explorha.exe	b7b7e4b2a6.exe
PID 2032 wrote to memory of 5264	2032	explorha.exe	b7b7e4b2a6.exe
PID 4736 wrote to memory of 5288	4736	RegAsm.exe	propro.exe

C:\Users\Admin\AppData\Local\Temp\3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe
"C:\Users\Admin\AppData\Local\Temp\3701bf5f2a994b253171e712240ac573e886a05101c5e7ce0f68f87c12d86402.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2520

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 1236
      4⤵
      Program crash
      PID:3428
- C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
  "C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\1000022001\b7b7e4b2a6.exe
      "C:\Users\Admin\AppData\Local\Temp\1000022001\b7b7e4b2a6.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      PID:5264
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
      "C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of FindShellTrayWindow
      PID:6104
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:5404
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5548
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:5340
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
        6⤵
        
        PID:5376
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      PID:5244
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:4540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4284
- C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
  "C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:5288
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:2876
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4332
- C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:5636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 352
    3⤵
    - Program crash
    PID:6112
- C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe
  "C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 796
    3⤵
    - Program crash
    PID:5276
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5364
- C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 1224
      4⤵
      Program crash
      PID:5624
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:5572
- C:\Users\Admin\AppData\Local\Temp\1001018001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001018001\file300un.exe"
  2⤵
  - Executes dropped EXE
  PID:4184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1001018001\file300un.exe" -Force
    3⤵
    PID:4388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:3360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:3040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:3960
  - - C:\Users\Admin\Pictures\RSroEUIW1evzZmUu2c5wBZEC.exe
      "C:\Users\Admin\Pictures\RSroEUIW1evzZmUu2c5wBZEC.exe"
      4⤵
      PID:804
    - - C:\Users\Admin\AppData\Local\Temp\umc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\umc.0.exe"
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1300
        6⤵
        Program crash
        
        PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\umc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\umc.1.exe"
        5⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1528
        5⤵
        Program crash
        
        PID:1100
  - - C:\Users\Admin\Pictures\w7hRN2YhgLZeQvfS6h1RtmVg.exe
      "C:\Users\Admin\Pictures\w7hRN2YhgLZeQvfS6h1RtmVg.exe"
      4⤵
      PID:4532
  - - C:\Users\Admin\Pictures\qnTbe9foaSldRE0FRvMIEBbL.exe
      "C:\Users\Admin\Pictures\qnTbe9foaSldRE0FRvMIEBbL.exe"
      4⤵
      PID:2588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1964
    - - C:\Users\Admin\Pictures\qnTbe9foaSldRE0FRvMIEBbL.exe
        
        "C:\Users\Admin\Pictures\qnTbe9foaSldRE0FRvMIEBbL.exe"
        5⤵
        
        PID:3888
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4588
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5708
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5884
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4736
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5948
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:1100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        
        PID:4860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:4596
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        
        PID:5624
  - - C:\Users\Admin\Pictures\jbyZXMMpLIPefHnBs3yFX5Mk.exe
      "C:\Users\Admin\Pictures\jbyZXMMpLIPefHnBs3yFX5Mk.exe"
      4⤵
      PID:4060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5652
    - - C:\Users\Admin\Pictures\jbyZXMMpLIPefHnBs3yFX5Mk.exe
        
        "C:\Users\Admin\Pictures\jbyZXMMpLIPefHnBs3yFX5Mk.exe"
        5⤵
        
        PID:4224
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5284
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5348
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5556
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5344
  - - C:\Users\Admin\Pictures\N6D3cucYSa7dXgJSr9nUxifu.exe
      "C:\Users\Admin\Pictures\N6D3cucYSa7dXgJSr9nUxifu.exe"
      4⤵
      PID:5396
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:232
    - - C:\Users\Admin\Pictures\N6D3cucYSa7dXgJSr9nUxifu.exe
        
        "C:\Users\Admin\Pictures\N6D3cucYSa7dXgJSr9nUxifu.exe"
        5⤵
        
        PID:2348
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5676
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5952
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:4664
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6000
  - - C:\Users\Admin\Pictures\jVFVMbJ0IyGoCPVXVKUYx1oE.exe
      "C:\Users\Admin\Pictures\jVFVMbJ0IyGoCPVXVKUYx1oE.exe"
      4⤵
      PID:1628
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4564
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 648
        6⤵
        Program crash
        
        PID:5292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 668
        6⤵
        Program crash
        
        PID:5240
  - - C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe
      "C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe" --silent --allusers=0
      4⤵
      PID:3924
    - - C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe
        
        C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6ee821f8,0x6ee82204,0x6ee82210
        5⤵
        
        PID:5924
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\kbXqE96ZoDKGOyHPMZ4YLyxU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\kbXqE96ZoDKGOyHPMZ4YLyxU.exe" --version
        5⤵
        
        PID:5304
    - - C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe
        
        "C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3924 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240323155315" --session-guid=478896e4-3e26-43cb-8fb8-9d286eb976cd --server-tracking-blob=ZWRiNjViYzQ4YWM3NTNhMGFlMjc1NzViOWM5YzI3NGFjZjJlNzczODE0ODQxZGY3YWE2NWMyMzAzOWYzZDU5Njp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTIwOTE4My4yMjk3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjZDgwYTUxNC04YzFhLTQ5NDYtODZkYS0xNGVhNGY2MzZjMTcifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1805000000000000
        5⤵
        
        PID:3128
      - C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe
        
        C:\Users\Admin\Pictures\kbXqE96ZoDKGOyHPMZ4YLyxU.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2bc,0x300,0x6e4b21f8,0x6e4b2204,0x6e4b2210
        6⤵
        
        PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403231553151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403231553151\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        
        PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403231553151\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403231553151\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:208
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403231553151\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403231553151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x5f0040,0x5f004c,0x5f0058
        6⤵
        
        PID:4996
  - - C:\Users\Admin\Pictures\shTShpP9KRC2jHXOgudJWqP9.exe
      "C:\Users\Admin\Pictures\shTShpP9KRC2jHXOgudJWqP9.exe"
      4⤵
      PID:2148
  - - C:\Users\Admin\Pictures\blBTInDWdLvpzcKhTonkfyIQ.exe
      "C:\Users\Admin\Pictures\blBTInDWdLvpzcKhTonkfyIQ.exe"
      4⤵
      PID:5696
    - - C:\Users\Admin\AppData\Local\Temp\7zSBE84.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:60
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:5172
- C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5616
- - C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
    "C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe"
    3⤵
    - Executes dropped EXE
    PID:444
  - - C:\Users\Admin\AppData\Local\Temp\1000074001\Fullwork123.exe
      "C:\Users\Admin\AppData\Local\Temp\1000074001\Fullwork123.exe"
      4⤵
      PID:5960
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5080
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 608
        6⤵
        Program crash
        
        PID:4580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1248
        6⤵
        Program crash
        
        PID:4532
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
      4⤵
      PID:3128
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
        5⤵
        
        PID:4292
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:1932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
        6⤵
        
        PID:5636
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
      4⤵
      PID:2772
- C:\Users\Admin\AppData\Local\Temp\1001023001\ISetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\1001023001\ISetup3.exe"
  2⤵
  - Executes dropped EXE
  PID:6032
- - C:\Users\Admin\AppData\Local\Temp\u4nk.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u4nk.0.exe"
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHCGHJDBFI.exe"
      4⤵
      PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\FHCGHJDBFI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FHCGHJDBFI.exe"
        5⤵
        
        PID:5260
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FHCGHJDBFI.exe
        6⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:2200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 2328
      4⤵
      Program crash
      PID:3908
- - C:\Users\Admin\AppData\Local\Temp\u4nk.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u4nk.1.exe"
    3⤵
    PID:5720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:5208
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:5276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 1428
    3⤵
    - Program crash
    PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2336 -ip 2336
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5636 -ip 5636
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5984 -ip 5984
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6016 -ip 6016
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6032 -ip 6032
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4664 -ip 4664
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4664 -ip 4664
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2408 -ip 2408
1⤵
PID:5208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 4184 -ip 4184
1⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1688 -ip 1688
1⤵
PID:1556

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5648 -ip 5648
1⤵
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 804 -ip 804
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5648 -ip 5648
1⤵
PID:5324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\33945c4f34\Dctooux.exe
1⤵
PID:4392
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
  2⤵
  PID:6088
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
    3⤵
    PID:5552
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:3600

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:3336

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion