amadey | 471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7

Virtualization/Sandbox Evasion

Processes:

explorha.exeadfbOTSuFSGJSqdMt1gqIu6P.exeexplorha.exe471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adfbOTSuFSGJSqdMt1gqIu6P.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

9 3300 rundll32.exe
10 2300 rundll32.exe
41 2324 rundll32.exe
45 2100 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1956 netsh.exe
3236 netsh.exe
4908 netsh.exe

flow	pid	process
9	3300	rundll32.exe
10	2300	rundll32.exe
41	2324	rundll32.exe
45	2100	rundll32.exe

pid	process
1956	netsh.exe
3236	netsh.exe
4908	netsh.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exeexplorha.exeexplorha.exeadfbOTSuFSGJSqdMt1gqIu6P.exeexplorha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adfbOTSuFSGJSqdMt1gqIu6P.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adfbOTSuFSGJSqdMt1gqIu6P.exe

Executes dropped EXE 24 IoCs

Processes:

explorha.exelumma21.exechrosha.exeexplorha.exeboom8.exefile300un.exeDvwlK6NfXuNruCarnvSOOWrF.exe1BdVyRMcDnlIbWxTzAJLQpAw.exeUdkjoWwZieUsrvfE8JpHfXVM.exelANimeHYWuuDti6zSuHw5MGs.exeu1pw.0.exeUdkjoWwZieUsrvfE8JpHfXVM.exe1BdVyRMcDnlIbWxTzAJLQpAw.exeu1pw.1.exelANimeHYWuuDti6zSuHw5MGs.execsrss.exeboom8.exeexplorha.exeinjector.exewindefender.exewindefender.exeadfbOTSuFSGJSqdMt1gqIu6P.exeexplorha.exeboom8.exe

pid	process
224	explorha.exe
2832	lumma21.exe
4340	chrosha.exe
3244	explorha.exe
4892	boom8.exe
1132	file300un.exe
2228	DvwlK6NfXuNruCarnvSOOWrF.exe
432	1BdVyRMcDnlIbWxTzAJLQpAw.exe
2840	UdkjoWwZieUsrvfE8JpHfXVM.exe
1076	lANimeHYWuuDti6zSuHw5MGs.exe
864	u1pw.0.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
4264	1BdVyRMcDnlIbWxTzAJLQpAw.exe
2736	u1pw.1.exe
440	lANimeHYWuuDti6zSuHw5MGs.exe
4072	csrss.exe
2108	boom8.exe
4992	explorha.exe
1416	injector.exe
4576	windefender.exe
3592	windefender.exe
2344	adfbOTSuFSGJSqdMt1gqIu6P.exe
2008	explorha.exe
4672	boom8.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exe471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3704 rundll32.exe
3300 rundll32.exe
1216 rundll32.exe
2300 rundll32.exe
2324 rundll32.exe
2100 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3704	rundll32.exe
3300	rundll32.exe
1216	rundll32.exe
2300	rundll32.exe
2324	rundll32.exe
2100	rundll32.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\adfbOTSuFSGJSqdMt1gqIu6P.exe	themida
behavioral2/memory/2344-857-0x00007FF6F3810000-0x00007FF6F4227000-memory.dmp	themida
behavioral2/memory/2344-858-0x00007FF6F3810000-0x00007FF6F4227000-memory.dmp	themida

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u1pw.1.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/4576-810-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3592-825-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3592-837-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file300un.exe1BdVyRMcDnlIbWxTzAJLQpAw.exeUdkjoWwZieUsrvfE8JpHfXVM.exelANimeHYWuuDti6zSuHw5MGs.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\""	file300un.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	1BdVyRMcDnlIbWxTzAJLQpAw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	UdkjoWwZieUsrvfE8JpHfXVM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	lANimeHYWuuDti6zSuHw5MGs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

adfbOTSuFSGJSqdMt1gqIu6P.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adfbOTSuFSGJSqdMt1gqIu6P.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 pastebin.com
3 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

57 api.myip.com
58 ipinfo.io
47 ipinfo.io
48 api.myip.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
12	pastebin.com
3	pastebin.com

flow	ioc
57	api.myip.com
58	ipinfo.io
47	ipinfo.io
48	api.myip.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exeadfbOTSuFSGJSqdMt1gqIu6P.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	adfbOTSuFSGJSqdMt1gqIu6P.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	adfbOTSuFSGJSqdMt1gqIu6P.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	adfbOTSuFSGJSqdMt1gqIu6P.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	adfbOTSuFSGJSqdMt1gqIu6P.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exeexplorha.exeexplorha.exeexplorha.exeadfbOTSuFSGJSqdMt1gqIu6P.exeexplorha.exe

pid	process
2344	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
224	explorha.exe
3244	explorha.exe
4992	explorha.exe
2344	adfbOTSuFSGJSqdMt1gqIu6P.exe
2008	explorha.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

file300un.exe

description pid process target process

PID 1132 set thread context of 2360 1132 file300un.exe CasPol.exe

description	pid	process	target process
PID 1132 set thread context of 2360	1132	file300un.exe	CasPol.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

UdkjoWwZieUsrvfE8JpHfXVM.exe1BdVyRMcDnlIbWxTzAJLQpAw.exelANimeHYWuuDti6zSuHw5MGs.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	UdkjoWwZieUsrvfE8JpHfXVM.exe
File opened (read-only)	\??\VBoxMiniRdrDN	1BdVyRMcDnlIbWxTzAJLQpAw.exe
File opened (read-only)	\??\VBoxMiniRdrDN	lANimeHYWuuDti6zSuHw5MGs.exe

Drops file in Windows directory 10 IoCs

Processes:

lumma21.exe1BdVyRMcDnlIbWxTzAJLQpAw.exeUdkjoWwZieUsrvfE8JpHfXVM.exelANimeHYWuuDti6zSuHw5MGs.exe471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.execsrss.exe

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	lumma21.exe
File opened for modification	C:\Windows\rss	1BdVyRMcDnlIbWxTzAJLQpAw.exe
File created	C:\Windows\rss\csrss.exe	1BdVyRMcDnlIbWxTzAJLQpAw.exe
File opened for modification	C:\Windows\rss	UdkjoWwZieUsrvfE8JpHfXVM.exe
File created	C:\Windows\rss\csrss.exe	lANimeHYWuuDti6zSuHw5MGs.exe
File created	C:\Windows\Tasks\explorha.job	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
File created	C:\Windows\rss\csrss.exe	UdkjoWwZieUsrvfE8JpHfXVM.exe
File opened for modification	C:\Windows\rss	lANimeHYWuuDti6zSuHw5MGs.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4660 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2152 2228 WerFault.exe DvwlK6NfXuNruCarnvSOOWrF.exe
1772 864 WerFault.exe u1pw.0.exe

pid	process
4660	sc.exe

pid	pid_target	process	target process
2152	2228	WerFault.exe	DvwlK6NfXuNruCarnvSOOWrF.exe
1772	864	WerFault.exe	u1pw.0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

u1pw.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1pw.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1pw.0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2840 schtasks.exe
2152 schtasks.exe
2384 schtasks.exe
4124 schtasks.exe
4120 schtasks.exe

pid	process
2840	schtasks.exe
2152	schtasks.exe
2384	schtasks.exe
4124	schtasks.exe
4120	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exewindefender.exepowershell.exepowershell.exepowershell.exeUdkjoWwZieUsrvfE8JpHfXVM.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3051 = "Qyzylorda Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	UdkjoWwZieUsrvfE8JpHfXVM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4536 PING.EXE

pid	process
4536	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exeexplorha.exeexplorha.exerundll32.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1BdVyRMcDnlIbWxTzAJLQpAw.exeUdkjoWwZieUsrvfE8JpHfXVM.exepowershell.exepowershell.exelANimeHYWuuDti6zSuHw5MGs.exepowershell.exeUdkjoWwZieUsrvfE8JpHfXVM.exe1BdVyRMcDnlIbWxTzAJLQpAw.exe

pid	process
2344	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
2344	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
224	explorha.exe
224	explorha.exe
3244	explorha.exe
3244	explorha.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
3300	rundll32.exe
4944	powershell.exe
4944	powershell.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2304	powershell.exe
2304	powershell.exe
4404	powershell.exe
4404	powershell.exe
960	powershell.exe
960	powershell.exe
4944	powershell.exe
4944	powershell.exe
4864	powershell.exe
4864	powershell.exe
432	1BdVyRMcDnlIbWxTzAJLQpAw.exe
432	1BdVyRMcDnlIbWxTzAJLQpAw.exe
2840	UdkjoWwZieUsrvfE8JpHfXVM.exe
2840	UdkjoWwZieUsrvfE8JpHfXVM.exe
3944	powershell.exe
3944	powershell.exe
4048	powershell.exe
4048	powershell.exe
3944	powershell.exe
4048	powershell.exe
1076	lANimeHYWuuDti6zSuHw5MGs.exe
1076	lANimeHYWuuDti6zSuHw5MGs.exe
2700	powershell.exe
2700	powershell.exe
2700	powershell.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
2864	UdkjoWwZieUsrvfE8JpHfXVM.exe
4264	1BdVyRMcDnlIbWxTzAJLQpAw.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

powershell.exepowershell.exepowershell.exeCasPol.exepowershell.exepowershell.exepowershell.exe1BdVyRMcDnlIbWxTzAJLQpAw.exeUdkjoWwZieUsrvfE8JpHfXVM.exepowershell.exepowershell.exelANimeHYWuuDti6zSuHw5MGs.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	2360	CasPol.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	432	1BdVyRMcDnlIbWxTzAJLQpAw.exe
Token: SeImpersonatePrivilege	432	1BdVyRMcDnlIbWxTzAJLQpAw.exe
Token: SeDebugPrivilege	2840	UdkjoWwZieUsrvfE8JpHfXVM.exe
Token: SeImpersonatePrivilege	2840	UdkjoWwZieUsrvfE8JpHfXVM.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	1076	lANimeHYWuuDti6zSuHw5MGs.exe
Token: SeImpersonatePrivilege	1076	lANimeHYWuuDti6zSuHw5MGs.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeSystemEnvironmentPrivilege	4072	csrss.exe
Token: SeSecurityPrivilege	4660	sc.exe
Token: SeSecurityPrivilege	4660	sc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe

pid process

2344 471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

u1pw.1.exe

pid process

2736 u1pw.1.exe

pid	process
2736	u1pw.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exeexplorha.exechrosha.exeboom8.exerundll32.exerundll32.exerundll32.exerundll32.exefile300un.execmd.exeCasPol.exe1BdVyRMcDnlIbWxTzAJLQpAw.exeUdkjoWwZieUsrvfE8JpHfXVM.exe

description	pid	process	target process
PID 2344 wrote to memory of 224	2344	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe	explorha.exe
PID 2344 wrote to memory of 224	2344	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe	explorha.exe
PID 2344 wrote to memory of 224	2344	471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe	explorha.exe
PID 224 wrote to memory of 2832	224	explorha.exe	lumma21.exe
PID 224 wrote to memory of 2832	224	explorha.exe	lumma21.exe
PID 224 wrote to memory of 2832	224	explorha.exe	lumma21.exe
PID 4340 wrote to memory of 4892	4340	chrosha.exe	boom8.exe
PID 4340 wrote to memory of 4892	4340	chrosha.exe	boom8.exe
PID 4340 wrote to memory of 4892	4340	chrosha.exe	boom8.exe
PID 4892 wrote to memory of 2840	4892	boom8.exe	schtasks.exe
PID 4892 wrote to memory of 2840	4892	boom8.exe	schtasks.exe
PID 4892 wrote to memory of 2840	4892	boom8.exe	schtasks.exe
PID 4340 wrote to memory of 3704	4340	chrosha.exe	rundll32.exe
PID 4340 wrote to memory of 3704	4340	chrosha.exe	rundll32.exe
PID 4340 wrote to memory of 3704	4340	chrosha.exe	rundll32.exe
PID 3704 wrote to memory of 3300	3704	rundll32.exe	rundll32.exe
PID 3704 wrote to memory of 3300	3704	rundll32.exe	rundll32.exe
PID 3300 wrote to memory of 356	3300	rundll32.exe	netsh.exe
PID 3300 wrote to memory of 356	3300	rundll32.exe	netsh.exe
PID 3300 wrote to memory of 4944	3300	rundll32.exe	powershell.exe
PID 3300 wrote to memory of 4944	3300	rundll32.exe	powershell.exe
PID 224 wrote to memory of 1216	224	explorha.exe	rundll32.exe
PID 224 wrote to memory of 1216	224	explorha.exe	rundll32.exe
PID 224 wrote to memory of 1216	224	explorha.exe	rundll32.exe
PID 1216 wrote to memory of 2300	1216	rundll32.exe	rundll32.exe
PID 1216 wrote to memory of 2300	1216	rundll32.exe	rundll32.exe
PID 2300 wrote to memory of 2656	2300	rundll32.exe	netsh.exe
PID 2300 wrote to memory of 2656	2300	rundll32.exe	netsh.exe
PID 2300 wrote to memory of 2304	2300	rundll32.exe	powershell.exe
PID 2300 wrote to memory of 2304	2300	rundll32.exe	powershell.exe
PID 4340 wrote to memory of 1132	4340	chrosha.exe	file300un.exe
PID 4340 wrote to memory of 1132	4340	chrosha.exe	file300un.exe
PID 1132 wrote to memory of 4404	1132	file300un.exe	powershell.exe
PID 1132 wrote to memory of 4404	1132	file300un.exe	powershell.exe
PID 1132 wrote to memory of 4832	1132	file300un.exe	cmd.exe
PID 1132 wrote to memory of 4832	1132	file300un.exe	cmd.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 1132 wrote to memory of 2360	1132	file300un.exe	CasPol.exe
PID 4832 wrote to memory of 2152	4832	cmd.exe	schtasks.exe
PID 4832 wrote to memory of 2152	4832	cmd.exe	schtasks.exe
PID 2360 wrote to memory of 2228	2360	CasPol.exe	DvwlK6NfXuNruCarnvSOOWrF.exe
PID 2360 wrote to memory of 2228	2360	CasPol.exe	DvwlK6NfXuNruCarnvSOOWrF.exe
PID 2360 wrote to memory of 2228	2360	CasPol.exe	DvwlK6NfXuNruCarnvSOOWrF.exe
PID 2360 wrote to memory of 432	2360	CasPol.exe	1BdVyRMcDnlIbWxTzAJLQpAw.exe
PID 2360 wrote to memory of 432	2360	CasPol.exe	1BdVyRMcDnlIbWxTzAJLQpAw.exe
PID 2360 wrote to memory of 432	2360	CasPol.exe	1BdVyRMcDnlIbWxTzAJLQpAw.exe
PID 2360 wrote to memory of 2840	2360	CasPol.exe	UdkjoWwZieUsrvfE8JpHfXVM.exe
PID 2360 wrote to memory of 2840	2360	CasPol.exe	UdkjoWwZieUsrvfE8JpHfXVM.exe
PID 2360 wrote to memory of 2840	2360	CasPol.exe	UdkjoWwZieUsrvfE8JpHfXVM.exe
PID 432 wrote to memory of 960	432	1BdVyRMcDnlIbWxTzAJLQpAw.exe	chcp.com
PID 432 wrote to memory of 960	432	1BdVyRMcDnlIbWxTzAJLQpAw.exe	chcp.com
PID 432 wrote to memory of 960	432	1BdVyRMcDnlIbWxTzAJLQpAw.exe	chcp.com
PID 4340 wrote to memory of 2324	4340	chrosha.exe	rundll32.exe
PID 4340 wrote to memory of 2324	4340	chrosha.exe	rundll32.exe
PID 4340 wrote to memory of 2324	4340	chrosha.exe	rundll32.exe
PID 2840 wrote to memory of 4944	2840	UdkjoWwZieUsrvfE8JpHfXVM.exe	powershell.exe
PID 2840 wrote to memory of 4944	2840	UdkjoWwZieUsrvfE8JpHfXVM.exe	powershell.exe
PID 2840 wrote to memory of 4944	2840	UdkjoWwZieUsrvfE8JpHfXVM.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe
"C:\Users\Admin\AppData\Local\Temp\471ad12514f66c86a1560bc3b233b9f286c46e3fb4fc7d3debda864a74fdd8f7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\1000036001\lumma21.exe
    "C:\Users\Admin\AppData\Local\Temp\1000036001\lumma21.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2832
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2100

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2840
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4944
- C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\Pictures\DvwlK6NfXuNruCarnvSOOWrF.exe
      "C:\Users\Admin\Pictures\DvwlK6NfXuNruCarnvSOOWrF.exe"
      4⤵
      Executes dropped EXE
      PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\u1pw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1pw.0.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JECAFHJEGC.exe"
        6⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\JECAFHJEGC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JECAFHJEGC.exe"
        7⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JECAFHJEGC.exe
        8⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:4536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2448
        6⤵
        Program crash
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\u1pw.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1pw.1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:2384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1540
        5⤵
        Program crash
        
        PID:2152
  - - C:\Users\Admin\Pictures\1BdVyRMcDnlIbWxTzAJLQpAw.exe
      "C:\Users\Admin\Pictures\1BdVyRMcDnlIbWxTzAJLQpAw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Users\Admin\Pictures\1BdVyRMcDnlIbWxTzAJLQpAw.exe
        
        "C:\Users\Admin\Pictures\1BdVyRMcDnlIbWxTzAJLQpAw.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:3900
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3236
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:4124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:4120
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
  - - C:\Users\Admin\Pictures\UdkjoWwZieUsrvfE8JpHfXVM.exe
      "C:\Users\Admin\Pictures\UdkjoWwZieUsrvfE8JpHfXVM.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
    - - C:\Users\Admin\Pictures\UdkjoWwZieUsrvfE8JpHfXVM.exe
        
        "C:\Users\Admin\Pictures\UdkjoWwZieUsrvfE8JpHfXVM.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1048
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:1956
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3944
  - - C:\Users\Admin\Pictures\lANimeHYWuuDti6zSuHw5MGs.exe
      "C:\Users\Admin\Pictures\lANimeHYWuuDti6zSuHw5MGs.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1076
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
    - - C:\Users\Admin\Pictures\lANimeHYWuuDti6zSuHw5MGs.exe
        
        "C:\Users\Admin\Pictures\lANimeHYWuuDti6zSuHw5MGs.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:440
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:2472
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:4908
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5000
  - - C:\Users\Admin\Pictures\adfbOTSuFSGJSqdMt1gqIu6P.exe
      "C:\Users\Admin\Pictures\adfbOTSuFSGJSqdMt1gqIu6P.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2344
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2324

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2228 -ip 2228
1⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4992

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 864 -ip 864
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2008

C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
1⤵
- Executes dropped EXE
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion