hxxps://cdn[.]discordapp[.]com/attachments/1213895613779808328/1213928854133932094/tos_cracked[.]rar?ex=65f74258&is=65e4cd58&hm=fe7b192cfde2b0027ec544a1bb61c0a1e108dc216fd6b4609c3085c782476709&

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	main.exe

Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

description	ioc	Process
File opened (read-only)	C:\windows\system32\drivers\VBoxMouse.sys	main.exe

Looks for VMWare drivers on disk 2 TTPs 4 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

description	ioc	Process
File opened (read-only)	C:\windows\system32\drivers\vmci.sys	main.exe
File opened (read-only)	C:\windows\system32\drivers\vmhgfs.sys	main.exe
File opened (read-only)	C:\windows\system32\drivers\vmmouse.sys	main.exe
File opened (read-only)	C:\windows\system32\drivers\vmusbmouse.sys	main.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	main.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	main.exe

Executes dropped EXE 4 IoCs

pid	Process
3068	loader.exe
2700	loader.exe
3692	tos.exe
3804	main.exe

Loads dropped DLL 35 IoCs

pid	Process
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe
3804	main.exe

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000a0000000230fd-116.dat	themida
behavioral1/memory/3068-117-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/files/0x000a0000000230fd-118.dat	themida
behavioral1/memory/3068-119-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/memory/3068-120-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/memory/3068-121-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/memory/3068-122-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/memory/3068-123-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/memory/3068-124-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/memory/3068-1035-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida
behavioral1/memory/3068-1084-0x00007FF602310000-0x00007FF603153000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
97	discord.com
98	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	api64.ipify.org
95	api64.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133542212028860271"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
1652	chrome.exe
1652	chrome.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe
2700	loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1540	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
1540	7zFM.exe
1540	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2124	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4372	2868	chrome.exe	87
PID 2868 wrote to memory of 4372	2868	chrome.exe	87
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 2704	2868	chrome.exe	90
PID 2868 wrote to memory of 4084	2868	chrome.exe	91
PID 2868 wrote to memory of 4084	2868	chrome.exe	91
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92
PID 2868 wrote to memory of 3344	2868	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1213895613779808328/1213928854133932094/tos_cracked.rar?ex=65f74258&is=65e4cd58&hm=fe7b192cfde2b0027ec544a1bb61c0a1e108dc216fd6b4609c3085c782476709&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc93d9758,0x7ffcc93d9768,0x7ffcc93d9778
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:2
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\tos_cracked.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1860,i,2489698634704597396,17133406173367134247,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1652

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Users\Admin\Desktop\esegs\loader.exe
"C:\Users\Admin\Desktop\esegs\loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3068
- C:\Users\Admin\AppData\Local\Temp\onefile_3068_133542213470093270\loader.exe
  "C:\Users\Admin\Desktop\esegs\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start tos.exe"
    3⤵
    PID:828
  - - C:\Users\Admin\Desktop\esegs\tos.exe
      tos.exe
      4⤵
      Executes dropped EXE
      PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\onefile_3692_133542213498708977\main.exe
        
        tos.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Looks for VirtualBox drivers on disk
        Looks for VMWare drivers on disk
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:3804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:3872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title .gg/violators
        6⤵
        
        PID:644
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title .gg/violators
        6⤵
        
        PID:2576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:3304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cls"
        6⤵
        
        PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

File and Directory Discovery

T1083

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion