Edit tour

Windows Analysis Report
U02LaPwnkd.exe

Overview

General Information

Sample name:	U02LaPwnkd.exe renamed because original name is a hash value
Original sample name:	d63792ee67c6f1702188695387c64991029dabd702d48eac3ea3f0eef280d4a1.exe
Analysis ID:	1585557
MD5:	6871972206b4d156c2246dfc3213e330
SHA1:	cf9310a71c1410cfa2bc7a01379d88e208545817
SHA256:	d63792ee67c6f1702188695387c64991029dabd702d48eac3ea3f0eef280d4a1
Infos:

Detection

ValleyRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected UAC Bypass using CMSTP

Yara detected ValleyRAT

AI detected suspicious sample

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found evasive API chain checking for user administrative privileges

Loading BitLocker PowerShell Module

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

U02LaPwnkd.exe (PID: 4040 cmdline: "C:\Users\user\Desktop\U02LaPwnkd.exe" MD5: 6871972206B4D156C2246DFC3213E330)

powershell.exe (PID: 7096 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7492 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

WINWORD.EXE (PID: 5748 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

CompMgmtLauncher.exe (PID: 1252 cmdline: C:\Windows\System32\CompMgmtLauncher.exe MD5: FF9690925244473ECC4C2E5B535B8599)

mmc.exe (PID: 7680 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)

svchost.exe (PID: 5588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
U02LaPwnkd.exe	malware_valleyrat_strings_config	ValleyRAT strings based on HIVE KEYS and config.	Sekoia.io	0x1126f0:$key1: IpDateInfo 0x1127b0:$key2: IpDate 0x112690:$key3: SelfPath 0x125970:$config1: 7C 00 69 00 3A 00 0x125992:$config2: 7C 00 70 00 3A 00

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4477912347.000001C0D26A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
00000000.00000002.4477912347.000001C0D26A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.4477912347.000001C0D26A0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f2f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x448f8:$s1: CoGetObject 0x3f2a8:$s2: Elevation:Administrator!new:
00000000.00000002.4476822143.000001C0D2650000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
00000000.00000002.4476822143.000001C0D2650000.00000010.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: U02LaPwnkd.exe PID: 4040	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
Process Memory Space: U02LaPwnkd.exe PID: 4040	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.U02LaPwnkd.exe.1c0d26506d1.0.unpack	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
0.2.U02LaPwnkd.exe.1c0d26506d1.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.U02LaPwnkd.exe.1c0d26506d1.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3c6f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x41cf8:$s1: CoGetObject 0x3c6a8:$s2: Elevation:Administrator!new:
0.2.U02LaPwnkd.exe.1c0d26a0000.1.raw.unpack	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
0.2.U02LaPwnkd.exe.1c0d26a0000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.U02LaPwnkd.exe.1c0d26a0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3f2f0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x448f8:$s1: CoGetObject 0x3f2a8:$s2: Elevation:Administrator!new:
0.2.U02LaPwnkd.exe.1c0d26a0000.1.unpack	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
0.2.U02LaPwnkd.exe.1c0d26a0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.U02LaPwnkd.exe.1c0d26a0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3dcf0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x432f8:$s1: CoGetObject 0x3dca8:$s2: Elevation:Administrator!new:
0.2.U02LaPwnkd.exe.1c0d26506d1.0.raw.unpack	JoeSecurity_ValleyRAT	Yara detected ValleyRAT	Joe Security
0.2.U02LaPwnkd.exe.1c0d26506d1.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.U02LaPwnkd.exe.1c0d26506d1.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x3dcf0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x432f8:$s1: CoGetObject 0x3dca8:$s2: Elevation:Administrator!new:
0.0.U02LaPwnkd.exe.7ff6dc8e0000.0.unpack	malware_valleyrat_strings_config	ValleyRAT strings based on HIVE KEYS and config.	Sekoia.io	0x1126f0:$key1: IpDateInfo 0x1127b0:$key2: IpDate 0x112690:$key3: SelfPath 0x125970:$config1: 7C 00 69 00 3A 00 0x125992:$config2: 7C 00 70 00 3A 00
0.2.U02LaPwnkd.exe.7ff6dc8e0000.2.unpack	malware_valleyrat_strings_config	ValleyRAT strings based on HIVE KEYS and config.	Sekoia.io	0x1126f0:$key1: IpDateInfo 0x1127b0:$key2: IpDate 0x112690:$key3: SelfPath 0x125970:$config1: 7C 00 69 00 3A 00 0x125992:$config2: 7C 00 70 00 3A 00
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\U02LaPwnkd.exe, ProcessId: 4040, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\U02LaPwnkd.exe", ParentImage: C:\Users\user\Desktop\U02LaPwnkd.exe, ParentProcessId: 4040, ParentProcessName: U02LaPwnkd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7096, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5588, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: U02LaPwnkd.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: U02LaPwnkd.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.U02LaPwnkd.exe.1c0d26506d1.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U02LaPwnkd.exe.1c0d26a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U02LaPwnkd.exe.1c0d26a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.U02LaPwnkd.exe.1c0d26506d1.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4477912347.000001C0D26A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4476822143.000001C0D2650000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U02LaPwnkd.exe PID: 4040, type: MEMORYSTR

Source: U02LaPwnkd.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: .pdbs" source: mmc.exe, 0000000D.00000002.4497150514.0000000003E41000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C2A0C FindFirstFileExW,		0_2_000001C0D26C2A0C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC93EFF4 FindFirstFileExA,		0_2_00007FF6DC93EFF4

Source: C:\Windows\System32\CompMgmtLauncher.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\CompMgmtLauncher.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\CompMgmtLauncher.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\CompMgmtLauncher.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\CompMgmtLauncher.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\CompMgmtLauncher.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\Desktop\U02LaPwnkd.exe

Code function: 0_2_000001C0D26A1E00 IsUserAnAdmin,OutputDebugStringA,NetWkstaGetInfo,NetApiBufferFree,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,NetWkstaGetInfo,NetApiBufferFree,OutputDebugStringA,CoUninitialize,InternetCheckConnectionA,GetTempPathA,DeleteFileA,CreateFileA,FindExecutableA,WinExec,MessageBoxA,ExitProcess,NetWkstaGetInfo,NetApiBufferFree,ExitProcess,

0_2_000001C0D26A1E00

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 154.91.226.158:5689

Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.226.158
Source: unknown	TCP traffic detected without corresponding DNS query: 154.91.226.158
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\U02LaPwnkd.exe

Code function: 0_2_000001C0D26AA5D0 recv,

0_2_000001C0D26AA5D0

Source: global traffic

DNS traffic detected: DNS query: www.baidu.com

Source: powershell.exe, 00000002.00000002.2211348319.0000019B6407C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000002.00000002.2211348319.0000019B6407C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: svchost.exe, 00000006.00000002.3801955488.0000015D88C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000002.00000002.2192765826.0000019B5B7ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4BA32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4BA32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4B761000.00000004.00000800.00020000.00000000.sdmp, mmc.exe, 0000000D.00000002.4497689332.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4BA32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4BA32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: U02LaPwnkd.exe, 00000000.00000002.4476822143.000001C0D2650000.00000010.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com
Source: powershell.exe, 00000002.00000002.2203230701.0000019B63C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.t.com/pk
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4B761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4B761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4B761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xG
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4D394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4D394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4D394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2082584587.0000015D88AF0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4BA32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2161768322.0000019B4D394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2192765826.0000019B5B7ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2161768322.0000019B4D394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

System Summary

Malicious sample detected (through community Yara rule)

Source: U02LaPwnkd.exe, type: SAMPLE	Matched rule: ValleyRAT strings based on HIVE KEYS and config. Author: Sekoia.io
Source: 0.2.U02LaPwnkd.exe.1c0d26506d1.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.U02LaPwnkd.exe.1c0d26a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.U02LaPwnkd.exe.1c0d26a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.U02LaPwnkd.exe.1c0d26506d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.U02LaPwnkd.exe.7ff6dc8e0000.0.unpack, type: UNPACKEDPE	Matched rule: ValleyRAT strings based on HIVE KEYS and config. Author: Sekoia.io
Source: 0.2.U02LaPwnkd.exe.7ff6dc8e0000.2.unpack, type: UNPACKEDPE	Matched rule: ValleyRAT strings based on HIVE KEYS and config. Author: Sekoia.io
Source: 00000000.00000002.4477912347.000001C0D26A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Users\user\Desktop\U02LaPwnkd.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\U02LaPwnkd.exe

Code function: 0_2_000001C0D26A6330 OpenProcess,NtQuerySystemInformation,GetCurrentProcessId,CloseHandle,OutputDebugStringA,NtQuerySystemInformation,OpenProcess,OpenProcess,VirtualAllocEx,TerminateProcess,OpenProcess,WriteProcessMemory,WriteProcessMemory,LoadLibraryW,GetProcAddress,CreateRemoteThread,WaitForSingleObject,OutputDebugStringA,VirtualFreeEx,OutputDebugStringA,

0_2_000001C0D26A6330

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A2D70	0_2_000001C0D26A2D70
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A57F0	0_2_000001C0D26A57F0
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A2630	0_2_000001C0D26A2630
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A1E00	0_2_000001C0D26A1E00
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A4DD0	0_2_000001C0D26A4DD0
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B63CC	0_2_000001C0D26B63CC
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A7490	0_2_000001C0D26A7490
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B9C60	0_2_000001C0D26B9C60
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A25AB	0_2_000001C0D26A25AB
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B25A4	0_2_000001C0D26B25A4
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C2A0C	0_2_000001C0D26C2A0C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26BC218	0_2_000001C0D26BC218
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C19F8	0_2_000001C0D26C19F8
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C72A2	0_2_000001C0D26C72A2
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26AB2BC	0_2_000001C0D26AB2BC
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C4A60	0_2_000001C0D26C4A60
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C124C	0_2_000001C0D26C124C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26BE32C	0_2_000001C0D26BE32C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B2320	0_2_000001C0D26B2320
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A6330	0_2_000001C0D26A6330
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C5B8C	0_2_000001C0D26C5B8C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A3B90	0_2_000001C0D26A3B90
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A3800	0_2_000001C0D26A3800
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C2800	0_2_000001C0D26C2800
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26BCFFC	0_2_000001C0D26BCFFC
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B510C	0_2_000001C0D26B510C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26C88F0	0_2_000001C0D26C88F0
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A3E90	0_2_000001C0D26A3E90
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B5EC0	0_2_000001C0D26B5EC0
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B5798	0_2_000001C0D26B5798
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC928D60	0_2_00007FF6DC928D60
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC93EDE8	0_2_00007FF6DC93EDE8
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC940E20	0_2_00007FF6DC940E20
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC932ECC	0_2_00007FF6DC932ECC
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC942F70	0_2_00007FF6DC942F70
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC92A92C	0_2_00007FF6DC92A92C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC93C938	0_2_00007FF6DC93C938
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC935950	0_2_00007FF6DC935950
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC931198	0_2_00007FF6DC931198
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC93F998	0_2_00007FF6DC93F998
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC934B1C	0_2_00007FF6DC934B1C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC933310	0_2_00007FF6DC933310
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC942AA0	0_2_00007FF6DC942AA0
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC935C34	0_2_00007FF6DC935C34
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC93D404	0_2_00007FF6DC93D404
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC931414	0_2_00007FF6DC931414
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC944444	0_2_00007FF6DC944444
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26714C9	0_2_000001C0D26714C9
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D265AD8D	0_2_000001C0D265AD8D
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2665269	0_2_000001C0D2665269
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26552C1	0_2_000001C0D26552C1
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D266CACD	0_2_000001C0D266CACD
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26532D1	0_2_000001C0D26532D1
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2662075	0_2_000001C0D2662075
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2652841	0_2_000001C0D2652841
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2652101	0_2_000001C0D2652101
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2653961	0_2_000001C0D2653961
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2655E01	0_2_000001C0D2655E01
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2661DF1	0_2_000001C0D2661DF1
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2653661	0_2_000001C0D2653661
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2669731	0_2_000001C0D2669731
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D2656F61	0_2_000001C0D2656F61
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F37690	2_2_00007FF848F37690
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F3CADB	2_2_00007FF848F3CADB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F3CC30	2_2_00007FF848F3CC30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F3F460	2_2_00007FF848F3F460
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F3CBD5	2_2_00007FF848F3CBD5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F36045	2_2_00007FF848F36045
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F3E878	2_2_00007FF848F3E878

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: String function: 000001C0D26A8D60 appears 68 times
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: String function: 000001C0D26CD130 appears 52 times

Source: U02LaPwnkd.exe, 00000000.00000000.2018996644.00007FF6DCA73000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinWordB" vs U02LaPwnkd.exe
Source: U02LaPwnkd.exe	Binary or memory string: OriginalFilenameWinWordB" vs U02LaPwnkd.exe

Source: U02LaPwnkd.exe, type: SAMPLE	Matched rule: malware_valleyrat_strings_config author = Sekoia.io, description = ValleyRAT strings based on HIVE KEYS and config. , creation_date = 2024-08-19, classification = TLP:CLEAR, version = 1.0, id = bb186ab7-60cd-487e-8b9c-c2ff8f121454, hash = 54ba4bbeacd1521164a40e92262b15f6
Source: 0.2.U02LaPwnkd.exe.1c0d26506d1.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.U02LaPwnkd.exe.1c0d26a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.U02LaPwnkd.exe.1c0d26a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.U02LaPwnkd.exe.1c0d26506d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.U02LaPwnkd.exe.7ff6dc8e0000.0.unpack, type: UNPACKEDPE	Matched rule: malware_valleyrat_strings_config author = Sekoia.io, description = ValleyRAT strings based on HIVE KEYS and config. , creation_date = 2024-08-19, classification = TLP:CLEAR, version = 1.0, id = bb186ab7-60cd-487e-8b9c-c2ff8f121454, hash = 54ba4bbeacd1521164a40e92262b15f6
Source: 0.2.U02LaPwnkd.exe.7ff6dc8e0000.2.unpack, type: UNPACKEDPE	Matched rule: malware_valleyrat_strings_config author = Sekoia.io, description = ValleyRAT strings based on HIVE KEYS and config. , creation_date = 2024-08-19, classification = TLP:CLEAR, version = 1.0, id = bb186ab7-60cd-487e-8b9c-c2ff8f121454, hash = 54ba4bbeacd1521164a40e92262b15f6
Source: 00000000.00000002.4477912347.000001C0D26A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A6900 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		0_2_000001C0D26A6900
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26A66E0 CreateToolhelp32Snapshot,OutputDebugStringA,OutputDebugStringA,Process32FirstW,Process32NextW,CloseHandle,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		0_2_000001C0D26A66E0

Source: C:\Windows\System32\mmc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03

Source: U02LaPwnkd.exe	String found in binary or memory: a5dcbddc-addc-95dc-dc9d-dc85dc8ddc75
Source: U02LaPwnkd.exe	String found in binary or memory: b5dbc575-a5db-addb-db95-db9ddb85db8d
Source: U02LaPwnkd.exe	String found in binary or memory: fddb15db-c5db-addb-db75-da4dda1ddae5
Source: U02LaPwnkd.exe	String found in binary or memory: 75750175-a575-add6-d695-d69dd685d68d
Source: U02LaPwnkd.exe	String found in binary or memory: b5dbc575-a5db-addb-db95-db9ddb85db8d
Source: U02LaPwnkd.exe	String found in binary or memory: a5dcbddc-addc-95dc-dc9d-dc85dc8ddc75
Source: U02LaPwnkd.exe	String found in binary or memory: 75750175-a575-add6-d695-d69dd685d68d
Source: U02LaPwnkd.exe	String found in binary or memory: fddb15db-c5db-addb-db75-da4dda1ddae5

Source: unknown	Process created: C:\Users\user\Desktop\U02LaPwnkd.exe "C:\Users\user\Desktop\U02LaPwnkd.exe"
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE"
Source: unknown	Process created: C:\Windows\System32\CompMgmtLauncher.exe C:\Windows\System32\CompMgmtLauncher.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s	Jump to behavior

Source: U02LaPwnkd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: U02LaPwnkd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: U02LaPwnkd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: U02LaPwnkd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: U02LaPwnkd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: U02LaPwnkd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: U02LaPwnkd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: U02LaPwnkd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: U02LaPwnkd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: U02LaPwnkd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: U02LaPwnkd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B765A push rdx; retf	0_2_000001C0D26B765B
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D266712B push edx; retf	0_2_000001C0D266712C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848E1D2A5 pushad ; iretd	2_2_00007FF848E1D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F38B98 push eax; ret	2_2_00007FF848F38BA1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F300BD pushad ; iretd	2_2_00007FF848F300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF8490071C5 push ebp; retf	2_2_00007FF8490071C8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\mmc.exe	Memory allocated: 4030000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 5370000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4953	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1732	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 496	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6496	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5560	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 7892	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 7892	Thread sleep time: -42186s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 7892	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 7892	Thread sleep time: -32876s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 7892	Thread sleep time: -30500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: U02LaPwnkd.exe, 00000000.00000002.4475875985.000001C0D0C7C000.00000004.00000020.00020000.00000000.sdmp, U02LaPwnkd.exe, 00000000.00000002.4475875985.000001C0D0CDB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3810236427.0000015D88C58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.3769142773.0000015D8362B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26B4C08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000001C0D26B4C08
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_000001C0D26ACE6C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000001C0D26ACE6C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC92FDFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6DC92FDFC
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC92BD98 SetUnhandledExceptionFilter,	0_2_00007FF6DC92BD98
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC92C1EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6DC92C1EC
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: 0_2_00007FF6DC92BBFC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6DC92BBFC

Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: try_get_function,GetLocaleInfoW,	0_2_000001C0D26BB420
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,	0_2_000001C0D26C647C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,	0_2_000001C0D26C654C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,	0_2_000001C0D26C6A38
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000001C0D26C6B64
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,	0_2_000001C0D26C6830
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	0_2_000001C0D26C6130
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000001C0D26C6988
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000001C0D26C65E4
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,	0_2_000001C0D26BAF7C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,	0_2_00007FF6DC937E08
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesA,	0_2_00007FF6DC928D50
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6DC941E64
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6DC941784
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6DC9418EC
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6DC941854
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6DC93787C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,	0_2_00007FF6DC941B30
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,	0_2_00007FF6DC941D2C
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: TranslateName,TranslateName,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF6DC941478
Source: C:\Users\user\Desktop\U02LaPwnkd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6DC941C7C

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report U02LaPwnkd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
U02LaPwnkd.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: U02LaPwnkd.exe	Binary or memory string: kxetray.exe
Source: U02LaPwnkd.exe	Binary or memory string: 360safe.exe
Source: U02LaPwnkd.exe	Binary or memory string: 360Safe.exe
Source: U02LaPwnkd.exe	Binary or memory string: 360tray.exe
Source: U02LaPwnkd.exe	Binary or memory string: 360Tray.exe
Source: U02LaPwnkd.exe	Binary or memory string: MsMpEng.exe

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	121 Process Injection	2 Obfuscated Files or Information	Security Account Manager	1 System Network Connections Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Masquerading	LSA Secrets	55 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Virtualization/Sandbox Evasion	Cached Domain Credentials	61 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Process Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement