amadey | 6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977

Virtualization/Sandbox Evasion

Processes:

explorha.exe01e79bfed6.exeexplorha.exerandom.exeexplorha.exe6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	01e79bfed6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

44 4172 rundll32.exe
45 4712 rundll32.exe
91 4804 rundll32.exe
96 4752 rundll32.exe
Downloads MZ/PE file

flow	pid	process
44	4172	rundll32.exe
45	4712	rundll32.exe
91	4804	rundll32.exe
96	4752	rundll32.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

random.exeexplorha.exe6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exeexplorha.exe01e79bfed6.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	01e79bfed6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	01e79bfed6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

chrosha.exeboom8.exeISetup8.exeu3xg.0.exeGIJEGDAKEH.exe8CFA.exe6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	chrosha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	boom8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	ISetup8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	u3xg.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	GIJEGDAKEH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	8CFA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	explorha.exe

Executes dropped EXE 22 IoCs

Processes:

explorha.exe01e79bfed6.exelumma21.exeexplorha.exechrosha.exerandom.exelummalg.exeFullwork123.exeboom8.exeISetup8.exetoolspub1.exeu3xg.0.exeu3xg.1.exeGIJEGDAKEH.exe8CFA.exe8CFA.exe8CFA.exe8CFA.exeC001.exeD224.exeexplorha.exeboom8.exe

pid	process
1960	explorha.exe
3216	01e79bfed6.exe
3636	lumma21.exe
2748	explorha.exe
916	chrosha.exe
4428	random.exe
1508	lummalg.exe
4936	Fullwork123.exe
3608	boom8.exe
5092	ISetup8.exe
4992	toolspub1.exe
840	u3xg.0.exe
1852	u3xg.1.exe
3520	GIJEGDAKEH.exe
5044	8CFA.exe
3224	8CFA.exe
4756	8CFA.exe
784	8CFA.exe
1508	C001.exe
3492	D224.exe
4396	explorha.exe
1908	boom8.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exe6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exeexplorha.exe01e79bfed6.exeexplorha.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	01e79bfed6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	random.exe

Loads dropped DLL 8 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeu3xg.0.exerundll32.exerundll32.exerundll32.exe

pid process

5044 rundll32.exe
4172 rundll32.exe
4712 rundll32.exe
840 u3xg.0.exe
840 u3xg.0.exe
1136 rundll32.exe
4804 rundll32.exe
4752 rundll32.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4216 icacls.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5044	rundll32.exe
4172	rundll32.exe
4712	rundll32.exe
840	u3xg.0.exe
840	u3xg.0.exe
1136	rundll32.exe
4804	rundll32.exe
4752	rundll32.exe

pid	process
4216	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u3xg.1.exe	upx
behavioral1/memory/1852-451-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorha.exechrosha.exe8CFA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01e79bfed6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\01e79bfed6.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000053001\\random.exe"	chrosha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a859576a-36d9-44b6-83b2-4ab7b2392170\\8CFA.exe\" --AutoStart"	8CFA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

134 drive.google.com
136 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

102 api.2ip.ua
103 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exeexplorha.exeexplorha.exeexplorha.exe

pid process

4908 6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
1960 explorha.exe
2748 explorha.exe
4396 explorha.exe

flow	ioc
134	drive.google.com
136	drive.google.com

flow	ioc
102	api.2ip.ua
103	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

lummalg.exeFullwork123.exe8CFA.exe8CFA.exeD224.exe

description	pid	process	target process
PID 1508 set thread context of 1400	1508	lummalg.exe	RegAsm.exe
PID 4936 set thread context of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 5044 set thread context of 3224	5044	8CFA.exe	8CFA.exe
PID 4756 set thread context of 784	4756	8CFA.exe	8CFA.exe
PID 3492 set thread context of 3792	3492	D224.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exelumma21.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1260	1400	WerFault.exe	RegAsm.exe
4360	2404	WerFault.exe	RegAsm.exe
2636	2404	WerFault.exe	RegAsm.exe
3096	5092	WerFault.exe	ISetup8.exe
1128	840	WerFault.exe	u3xg.0.exe
3624	784	WerFault.exe	8CFA.exe
3380	1508	WerFault.exe	C001.exe
4528	3792	WerFault.exe	RegAsm.exe
228	3792	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

u3xg.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u3xg.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u3xg.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1544 schtasks.exe
5052 schtasks.exe

pid	process
1544	schtasks.exe
5052	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

Processes:

SearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeexplorer.exeexplorer.exeSearchApp.exeexplorer.exeSearchApp.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{3DBE6158-8F69-42A6-B70B-F24D0589D0D2}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{BBA12B5C-5F78-43A4-9490-DBE451C628EE}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3444 PING.EXE

pid	process
3444	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exeexplorha.exerundll32.exepowershell.exeexplorha.exetoolspub1.exeu3xg.0.exerundll32.exe

pid	process
4908	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
4908	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
1960	explorha.exe
1960	explorha.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4172	rundll32.exe
4044	powershell.exe
4044	powershell.exe
4044	powershell.exe
2748	explorha.exe
2748	explorha.exe
4992	toolspub1.exe
4992	toolspub1.exe
840	u3xg.0.exe
840	u3xg.0.exe
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
3476
4804	rundll32.exe
4804	rundll32.exe
4804	rundll32.exe
4804	rundll32.exe
4804	rundll32.exe
4804	rundll32.exe
3476
3476
3476
3476
3476

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub1.exe

pid process

4992 toolspub1.exe

pid	process
4992	toolspub1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	3476
Token: SeCreatePagefilePrivilege	3476
Token: SeShutdownPrivilege	4716	explorer.exe
Token: SeCreatePagefilePrivilege	4716	explorer.exe
Token: SeShutdownPrivilege	4716	explorer.exe
Token: SeCreatePagefilePrivilege	4716	explorer.exe
Token: SeShutdownPrivilege	4716	explorer.exe
Token: SeCreatePagefilePrivilege	4716	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
4716	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
2568	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe
1436	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

u3xg.1.exeStartMenuExperienceHost.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exeStartMenuExperienceHost.exeSearchApp.exe

pid	process
1852	u3xg.1.exe
5020	StartMenuExperienceHost.exe
3884	StartMenuExperienceHost.exe
3736	SearchApp.exe
3488	StartMenuExperienceHost.exe
3752	SearchApp.exe
2356	StartMenuExperienceHost.exe
4652	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exeexplorha.exerundll32.exerundll32.exechrosha.exelummalg.exeFullwork123.exeboom8.exeISetup8.exe

description	pid	process	target process
PID 4908 wrote to memory of 1960	4908	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe	explorha.exe
PID 4908 wrote to memory of 1960	4908	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe	explorha.exe
PID 4908 wrote to memory of 1960	4908	6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe	explorha.exe
PID 1960 wrote to memory of 3216	1960	explorha.exe	01e79bfed6.exe
PID 1960 wrote to memory of 3216	1960	explorha.exe	01e79bfed6.exe
PID 1960 wrote to memory of 3216	1960	explorha.exe	01e79bfed6.exe
PID 1960 wrote to memory of 2880	1960	explorha.exe	explorha.exe
PID 1960 wrote to memory of 2880	1960	explorha.exe	explorha.exe
PID 1960 wrote to memory of 2880	1960	explorha.exe	explorha.exe
PID 1960 wrote to memory of 3636	1960	explorha.exe	lumma21.exe
PID 1960 wrote to memory of 3636	1960	explorha.exe	lumma21.exe
PID 1960 wrote to memory of 3636	1960	explorha.exe	lumma21.exe
PID 1960 wrote to memory of 5044	1960	explorha.exe	rundll32.exe
PID 1960 wrote to memory of 5044	1960	explorha.exe	rundll32.exe
PID 1960 wrote to memory of 5044	1960	explorha.exe	rundll32.exe
PID 5044 wrote to memory of 4172	5044	rundll32.exe	rundll32.exe
PID 5044 wrote to memory of 4172	5044	rundll32.exe	rundll32.exe
PID 4172 wrote to memory of 4216	4172	rundll32.exe	netsh.exe
PID 4172 wrote to memory of 4216	4172	rundll32.exe	netsh.exe
PID 4172 wrote to memory of 4044	4172	rundll32.exe	powershell.exe
PID 4172 wrote to memory of 4044	4172	rundll32.exe	powershell.exe
PID 1960 wrote to memory of 4712	1960	explorha.exe	rundll32.exe
PID 1960 wrote to memory of 4712	1960	explorha.exe	rundll32.exe
PID 1960 wrote to memory of 4712	1960	explorha.exe	rundll32.exe
PID 916 wrote to memory of 4428	916	chrosha.exe	random.exe
PID 916 wrote to memory of 4428	916	chrosha.exe	random.exe
PID 916 wrote to memory of 4428	916	chrosha.exe	random.exe
PID 916 wrote to memory of 1508	916	chrosha.exe	lummalg.exe
PID 916 wrote to memory of 1508	916	chrosha.exe	lummalg.exe
PID 916 wrote to memory of 1508	916	chrosha.exe	lummalg.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 1508 wrote to memory of 1400	1508	lummalg.exe	RegAsm.exe
PID 916 wrote to memory of 4936	916	chrosha.exe	Fullwork123.exe
PID 916 wrote to memory of 4936	916	chrosha.exe	Fullwork123.exe
PID 916 wrote to memory of 4936	916	chrosha.exe	Fullwork123.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 4936 wrote to memory of 2404	4936	Fullwork123.exe	RegAsm.exe
PID 916 wrote to memory of 3608	916	chrosha.exe	boom8.exe
PID 916 wrote to memory of 3608	916	chrosha.exe	boom8.exe
PID 916 wrote to memory of 3608	916	chrosha.exe	boom8.exe
PID 3608 wrote to memory of 1544	3608	boom8.exe	schtasks.exe
PID 3608 wrote to memory of 1544	3608	boom8.exe	schtasks.exe
PID 3608 wrote to memory of 1544	3608	boom8.exe	schtasks.exe
PID 3608 wrote to memory of 5092	3608	boom8.exe	ISetup8.exe
PID 3608 wrote to memory of 5092	3608	boom8.exe	ISetup8.exe
PID 3608 wrote to memory of 5092	3608	boom8.exe	ISetup8.exe
PID 3608 wrote to memory of 4992	3608	boom8.exe	toolspub1.exe
PID 3608 wrote to memory of 4992	3608	boom8.exe	toolspub1.exe
PID 3608 wrote to memory of 4992	3608	boom8.exe	toolspub1.exe
PID 5092 wrote to memory of 840	5092	ISetup8.exe	u3xg.0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe
"C:\Users\Admin\AppData\Local\Temp\6ca1274e2b896609e052a17f5de984ec78795a756cd22b3a5dc1a1803b2cb977.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\1000022001\01e79bfed6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000022001\01e79bfed6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
    "C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3636
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:4216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4712

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:4428
- C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1228
      4⤵
      Program crash
      PID:1260
- C:\Users\Admin\AppData\Local\Temp\1000074001\Fullwork123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000074001\Fullwork123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1100
      4⤵
      Program crash
      PID:2636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 608
      4⤵
      Program crash
      PID:4360
- C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000172001\ISetup8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\u3xg.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u3xg.0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIJEGDAKEH.exe"
        5⤵
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\GIJEGDAKEH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GIJEGDAKEH.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GIJEGDAKEH.exe
        7⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:3444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 2332
        5⤵
        Program crash
        
        PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\u3xg.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u3xg.1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:3380
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:952
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:5052
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1528
      4⤵
      Program crash
      PID:3096
- - C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4992
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:1136
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4804
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2192
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1400 -ip 1400
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2404 -ip 2404
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2404 -ip 2404
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5092 -ip 5092
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 840 -ip 840
1⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7C6E.bat" "
1⤵
PID:4172
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:1200

C:\Users\Admin\AppData\Local\Temp\8CFA.exe
C:\Users\Admin\AppData\Local\Temp\8CFA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5044
- C:\Users\Admin\AppData\Local\Temp\8CFA.exe
  C:\Users\Admin\AppData\Local\Temp\8CFA.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3224
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\a859576a-36d9-44b6-83b2-4ab7b2392170" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4216
- - C:\Users\Admin\AppData\Local\Temp\8CFA.exe
    "C:\Users\Admin\AppData\Local\Temp\8CFA.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\8CFA.exe
      "C:\Users\Admin\AppData\Local\Temp\8CFA.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 568
        5⤵
        Program crash
        
        PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 784 -ip 784
1⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\C001.exe
C:\Users\Admin\AppData\Local\Temp\C001.exe
1⤵
- Executes dropped EXE
PID:1508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1092
  2⤵
  - Program crash
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C1E7.bat" "
1⤵
PID:4368
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 1508
1⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\D224.exe
C:\Users\Admin\AppData\Local\Temp\D224.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1192
    3⤵
    - Program crash
    PID:4528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1208
    3⤵
    - Program crash
    PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3792 -ip 3792
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3792 -ip 3792
1⤵
PID:2624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:2568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:1436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:376

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2280

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1128

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3752

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1908

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4936

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4492

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4628

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2404

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion