amadey | 9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4

Virtualization/Sandbox Evasion

Processes:

9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exeexplorgu.exerandom.exeamadka.exeexplorha.exeexplorha.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

67 3308 rundll32.exe
70 4928 rundll32.exe
97 4740 rundll32.exe
101 712 rundll32.exe
Downloads MZ/PE file

flow	pid	process
67	3308	rundll32.exe
70	4928	rundll32.exe
97	4740	rundll32.exe
101	712	rundll32.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exeexplorgu.exerandom.exeamadka.exeexplorha.exeexplorha.exerandom.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

regasm.exeboom8.exechrosha.exefVMfK0evrldMG1fPEep4iXht.exeexplorgu.exeamadka.exeRegAsm.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	regasm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	boom8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	chrosha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	fVMfK0evrldMG1fPEep4iXht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	amadka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	explorha.exe

Drops startup file 7 IoCs

Processes:

regasm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zCkm2F1iCblApQ5MsCaRtsJ.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MxVwDxkIxcfv54uj7RFNwOjf.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kw40tWa2Ks8Jsn98Ba961A2l.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LHguEJ1w397iFCypFlRXIUwe.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gg5VUriahlW6RINAzCFStMtt.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fbzZ2TX6mDrRWRFhxbMwX2bn.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\omBruxP0GciZuJOJi4fMEge1.bat	regasm.exe

Executes dropped EXE 27 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerandom.exeamadka.exeexplorha.exeTeamFour.exealex1234.exepropro.exeTraffic.exe987123.exelummalg.exechckik.exemk.exefile300un.exeexplorha.exechrosha.exeboom8.exefVMfK0evrldMG1fPEep4iXht.exex7W2dJh7kjYNw1HTS6eNE5wo.exeRzRguaIXhUuLqrO1ZH6stf6S.exe9MII2iZu4B3aUeEubwAF6joh.exerandom.exelummalg.exeboom8.exeyXMXkbExlNk0NcbdzfCIHNk5.exeCB5B.exe

pid	process
5016	explorgu.exe
644	osminog.exe
4936	goldprimeldlldf.exe
3608	random.exe
3256	amadka.exe
884	explorha.exe
4556	TeamFour.exe
2824	alex1234.exe
3016	propro.exe
720	Traffic.exe
2444	987123.exe
3948	lummalg.exe
4880	chckik.exe
3524	mk.exe
3100	file300un.exe
4092	explorha.exe
3964	chrosha.exe
3596	boom8.exe
3504	fVMfK0evrldMG1fPEep4iXht.exe
3204	x7W2dJh7kjYNw1HTS6eNE5wo.exe
3956	RzRguaIXhUuLqrO1ZH6stf6S.exe
2332	9MII2iZu4B3aUeEubwAF6joh.exe
4504	random.exe
5208	lummalg.exe
5348	boom8.exe
5340	yXMXkbExlNk0NcbdzfCIHNk5.exe
5380	CB5B.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exerandom.exe9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exeexplorgu.exerandom.exeamadka.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	amadka.exe

Loads dropped DLL 7 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeregsvr32.exe

pid process

4572 rundll32.exe
3308 rundll32.exe
4928 rundll32.exe
2192 rundll32.exe
4740 rundll32.exe
712 rundll32.exe
2588 regsvr32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4572	rundll32.exe
3308	rundll32.exe
4928	rundll32.exe
2192	rundll32.exe
4740	rundll32.exe
712	rundll32.exe
2588	regsvr32.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\J1JNhcOped6SSvwsp8szfjh0.exe	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u2pc.1.exe	upx
C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorgu.exefile300un.exechrosha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000875001\\amadka.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\""	file300un.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000053001\\random.exe"	chrosha.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

113 pastebin.com
115 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

186 api.myip.com
187 api.myip.com
188 ipinfo.io
189 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exeexplorgu.exeamadka.exeexplorha.exeexplorha.exe

pid process

2172 9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
5016 explorgu.exe
3256 amadka.exe
884 explorha.exe
4092 explorha.exe

flow	ioc
113	pastebin.com
115	pastebin.com

flow	ioc
186	api.myip.com
187	api.myip.com
188	ipinfo.io
189	ipinfo.io

Suspicious use of SetThreadContext 5 IoCs

Processes:

osminog.exegoldprimeldlldf.exealex1234.exelummalg.exefile300un.exe

description	pid	process	target process
PID 644 set thread context of 4864	644	osminog.exe	RegAsm.exe
PID 4936 set thread context of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 2824 set thread context of 4488	2824	alex1234.exe	RegAsm.exe
PID 3948 set thread context of 4872	3948	lummalg.exe	RegAsm.exe
PID 3100 set thread context of 4924	3100	file300un.exe	regasm.exe

Drops file in Windows directory 3 IoCs

Processes:

9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exeamadka.exechckik.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
File created	C:\Windows\Tasks\explorha.job	amadka.exe
File created	C:\Windows\Tasks\chrosha.job	chckik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2980	4864	WerFault.exe	RegAsm.exe
2288	4864	WerFault.exe	RegAsm.exe
5004	4864	WerFault.exe	RegAsm.exe
368	4872	WerFault.exe	RegAsm.exe
5852	3504	WerFault.exe	fVMfK0evrldMG1fPEep4iXht.exe
5216	5548	WerFault.exe	RegAsm.exe
5272	5380	WerFault.exe	CB5B.exe
5728	5988	WerFault.exe	RegAsm.exe
5780	5988	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

987123.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3480 schtasks.exe
5492 schtasks.exe
748 schtasks.exe

pid	process
3480	schtasks.exe
5492	schtasks.exe
748	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exeexplorgu.exeRegAsm.exerundll32.exepowershell.exeamadka.exeexplorha.exeTeamFour.exe987123.exerundll32.exepowershell.exe

pid	process
2172	9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
2172	9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
5016	explorgu.exe
5016	explorgu.exe
452	RegAsm.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
452	RegAsm.exe
452	RegAsm.exe
452	RegAsm.exe
452	RegAsm.exe
3256	amadka.exe
3256	amadka.exe
884	explorha.exe
884	explorha.exe
4556	TeamFour.exe
4556	TeamFour.exe
2444	987123.exe
2444	987123.exe
4740	rundll32.exe
4740	rundll32.exe
4740	rundll32.exe
4740	rundll32.exe
4740	rundll32.exe
4740	rundll32.exe
3492
3492
4740	rundll32.exe
4740	rundll32.exe
4740	rundll32.exe
4740	rundll32.exe
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
3492
4608	powershell.exe
4608	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

987123.exe

pid process

2444 987123.exe

pid	process
2444	987123.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

osminog.exeRegAsm.exepowershell.exeTeamFour.exeTraffic.exepowershell.exemk.exepowershell.exeregasm.exe

description	pid	process
Token: SeDebugPrivilege	644	osminog.exe
Token: SeDebugPrivilege	452	RegAsm.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	4556	TeamFour.exe
Token: SeBackupPrivilege	4556	TeamFour.exe
Token: SeSecurityPrivilege	4556	TeamFour.exe
Token: SeSecurityPrivilege	4556	TeamFour.exe
Token: SeSecurityPrivilege	4556	TeamFour.exe
Token: SeSecurityPrivilege	4556	TeamFour.exe
Token: SeDebugPrivilege	720	Traffic.exe
Token: SeBackupPrivilege	720	Traffic.exe
Token: SeSecurityPrivilege	720	Traffic.exe
Token: SeSecurityPrivilege	720	Traffic.exe
Token: SeSecurityPrivilege	720	Traffic.exe
Token: SeSecurityPrivilege	720	Traffic.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeDebugPrivilege	3524	mk.exe
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4924	regasm.exe
Token: SeShutdownPrivilege	3492
Token: SeCreatePagefilePrivilege	3492

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerundll32.exerundll32.exeamadka.exealex1234.exeRegAsm.exe

description	pid	process	target process
PID 5016 wrote to memory of 644	5016	explorgu.exe	osminog.exe
PID 5016 wrote to memory of 644	5016	explorgu.exe	osminog.exe
PID 5016 wrote to memory of 644	5016	explorgu.exe	osminog.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 644 wrote to memory of 4864	644	osminog.exe	RegAsm.exe
PID 5016 wrote to memory of 4936	5016	explorgu.exe	goldprimeldlldf.exe
PID 5016 wrote to memory of 4936	5016	explorgu.exe	goldprimeldlldf.exe
PID 5016 wrote to memory of 4936	5016	explorgu.exe	goldprimeldlldf.exe
PID 4936 wrote to memory of 2968	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 2968	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 2968	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 4936 wrote to memory of 452	4936	goldprimeldlldf.exe	RegAsm.exe
PID 5016 wrote to memory of 4572	5016	explorgu.exe	rundll32.exe
PID 5016 wrote to memory of 4572	5016	explorgu.exe	rundll32.exe
PID 5016 wrote to memory of 4572	5016	explorgu.exe	rundll32.exe
PID 4572 wrote to memory of 3308	4572	rundll32.exe	rundll32.exe
PID 4572 wrote to memory of 3308	4572	rundll32.exe	rundll32.exe
PID 3308 wrote to memory of 928	3308	rundll32.exe	netsh.exe
PID 3308 wrote to memory of 928	3308	rundll32.exe	netsh.exe
PID 3308 wrote to memory of 1180	3308	rundll32.exe	powershell.exe
PID 3308 wrote to memory of 1180	3308	rundll32.exe	powershell.exe
PID 5016 wrote to memory of 3608	5016	explorgu.exe	random.exe
PID 5016 wrote to memory of 3608	5016	explorgu.exe	random.exe
PID 5016 wrote to memory of 3608	5016	explorgu.exe	random.exe
PID 5016 wrote to memory of 3256	5016	explorgu.exe	amadka.exe
PID 5016 wrote to memory of 3256	5016	explorgu.exe	amadka.exe
PID 5016 wrote to memory of 3256	5016	explorgu.exe	amadka.exe
PID 5016 wrote to memory of 4928	5016	explorgu.exe	rundll32.exe
PID 5016 wrote to memory of 4928	5016	explorgu.exe	rundll32.exe
PID 5016 wrote to memory of 4928	5016	explorgu.exe	rundll32.exe
PID 3256 wrote to memory of 884	3256	amadka.exe	explorha.exe
PID 3256 wrote to memory of 884	3256	amadka.exe	explorha.exe
PID 3256 wrote to memory of 884	3256	amadka.exe	explorha.exe
PID 5016 wrote to memory of 4556	5016	explorgu.exe	TeamFour.exe
PID 5016 wrote to memory of 4556	5016	explorgu.exe	TeamFour.exe
PID 5016 wrote to memory of 2824	5016	explorgu.exe	alex1234.exe
PID 5016 wrote to memory of 2824	5016	explorgu.exe	alex1234.exe
PID 5016 wrote to memory of 2824	5016	explorgu.exe	alex1234.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 2824 wrote to memory of 4488	2824	alex1234.exe	RegAsm.exe
PID 4488 wrote to memory of 3016	4488	RegAsm.exe	propro.exe
PID 4488 wrote to memory of 3016	4488	RegAsm.exe	propro.exe
PID 4488 wrote to memory of 3016	4488	RegAsm.exe	propro.exe
PID 4488 wrote to memory of 720	4488	RegAsm.exe	Traffic.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe
"C:\Users\Admin\AppData\Local\Temp\9499d127b81e4dafbddc11c0bdde086588fc207d92a535bc2798d7159c29f9e4.exe"
1⤵
- DcRat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1236
      4⤵
      Program crash
      PID:2980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1252
      4⤵
      Program crash
      PID:2288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1212
      4⤵
      Program crash
      PID:5004
- C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1180
- C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
  "C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:884
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2192
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:2740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:712
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
  "C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3016
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:720
- C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4872
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1256
      4⤵
      Program crash
      PID:368
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:624
- C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4880
- C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe
  "C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe"
  2⤵
  - DcRat
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3100
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
    3⤵
    PID:3912
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
  - - C:\Users\Admin\Pictures\fVMfK0evrldMG1fPEep4iXht.exe
      "C:\Users\Admin\Pictures\fVMfK0evrldMG1fPEep4iXht.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\u2pc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2pc.0.exe"
        5⤵
        
        PID:5388
    - - C:\Users\Admin\AppData\Local\Temp\u2pc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2pc.1.exe"
        5⤵
        
        PID:5720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1456
        5⤵
        Program crash
        
        PID:5852
  - - C:\Users\Admin\Pictures\x7W2dJh7kjYNw1HTS6eNE5wo.exe
      "C:\Users\Admin\Pictures\x7W2dJh7kjYNw1HTS6eNE5wo.exe"
      4⤵
      Executes dropped EXE
      PID:3204
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 624
        6⤵
        Program crash
        
        PID:5728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 648
        6⤵
        Program crash
        
        PID:5780
  - - C:\Users\Admin\Pictures\RzRguaIXhUuLqrO1ZH6stf6S.exe
      "C:\Users\Admin\Pictures\RzRguaIXhUuLqrO1ZH6stf6S.exe"
      4⤵
      Executes dropped EXE
      PID:3956
  - - C:\Users\Admin\Pictures\9MII2iZu4B3aUeEubwAF6joh.exe
      "C:\Users\Admin\Pictures\9MII2iZu4B3aUeEubwAF6joh.exe"
      4⤵
      Executes dropped EXE
      PID:2332
  - - C:\Users\Admin\Pictures\yXMXkbExlNk0NcbdzfCIHNk5.exe
      "C:\Users\Admin\Pictures\yXMXkbExlNk0NcbdzfCIHNk5.exe"
      4⤵
      Executes dropped EXE
      PID:5340
  - - C:\Users\Admin\Pictures\J1JNhcOped6SSvwsp8szfjh0.exe
      "C:\Users\Admin\Pictures\J1JNhcOped6SSvwsp8szfjh0.exe"
      4⤵
      PID:3604
  - - C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe
      "C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe" --silent --allusers=0
      4⤵
      PID:4840
    - - C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe
        
        C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6af521f8,0x6af52204,0x6af52210
        5⤵
        
        PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4YwqQWomQshQ5kzywGozM0Zi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\4YwqQWomQshQ5kzywGozM0Zi.exe" --version
        5⤵
        
        PID:5704
    - - C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe
        
        "C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4840 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240324160730" --session-guid=d44d687d-7048-495a-b140-52db1ecacd3f --server-tracking-blob=Mzc3ODhhYjc2MjJjMGI4NDBiN2E0MjIwMDAyNDljYzZiOTM4ZWEyN2U1MjFmNTVlMTM4YTM5NDAxZjE5MmZhZjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTI5NjQyMi44MDIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI0MzFiNDIyNC00YWM1LTRhNDMtODEyNC0wNGE2YjdkNGFjNTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
        5⤵
        
        PID:3476
      - C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe
        
        C:\Users\Admin\Pictures\4YwqQWomQshQ5kzywGozM0Zi.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e0,0x2f0,0x2f4,0x2bc,0x2f8,0x6a5d21f8,0x6a5d2204,0x6a5d2210
        6⤵
        
        PID:4948
  - - C:\Users\Admin\Pictures\wqLs3MkhzuPZbwPyw5yhgJvT.exe
      "C:\Users\Admin\Pictures\wqLs3MkhzuPZbwPyw5yhgJvT.exe"
      4⤵
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\7zS2F82.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\7zS3917.tmp\Install.exe
        
        .\Install.exe /HdidRJVy "385118" /S
        6⤵
        
        PID:6012
- C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3596
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4864 -ip 4864
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4864 -ip 4864
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4864 -ip 4864
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4872 -ip 4872
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3964
- C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000053001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  PID:5208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 1236
      4⤵
      Program crash
      PID:5216
- C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"
  2⤵
  - Executes dropped EXE
  PID:5348
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  PID:5292
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    PID:5524
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:5864
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  PID:5968

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4092

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BBE8.dll
1⤵
PID:2192
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\BBE8.dll
  2⤵
  - Loads dropped DLL
  PID:2588

C:\Users\Admin\AppData\Local\Temp\CB5B.exe
C:\Users\Admin\AppData\Local\Temp\CB5B.exe
1⤵
- Executes dropped EXE
PID:5380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1100
  2⤵
  - Program crash
  PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3504 -ip 3504
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5548 -ip 5548
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5380 -ip 5380
1⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\E953.exe
C:\Users\Admin\AppData\Local\Temp\E953.exe
1⤵
PID:5364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:4944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:5572

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5988 -ip 5988
1⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5988 -ip 5988
1⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\F655.exe
C:\Users\Admin\AppData\Local\Temp\F655.exe
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\3AC1.exe
C:\Users\Admin\AppData\Local\Temp\3AC1.exe
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
  2⤵
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion