amadey | 10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RoamingDHJDAFIEHI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RoamingEGIDAAFIEH.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorti.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorti.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RoamingDHJDAFIEHI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RoamingDHJDAFIEHI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RoamingEGIDAAFIEH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RoamingEGIDAAFIEH.exe

Executes dropped EXE 25 IoCs

pid	Process
2616	RoamingDHJDAFIEHI.exe
1392	axplong.exe
2972	RoamingEGIDAAFIEH.exe
944	explorti.exe
1536	5c1652fdc7.exe
2248	46c495a478.exe
3484	build.exe
1492	stub.exe
3672	crypted.exe
3504	5447jsX.exe
3840	crypteda.exe
3484	2.exe
3240	svhosts.exe
1684	25072023.exe
3652	pered.exe
1892	pered.exe
1800	2020.exe
3400	2020.exe
3476	4ck3rr.exe
3032	gawdth.exe
1588	clamer.exe
1576	lofsawd.exe
3584	ldx111.exe
6400	ldx111.exe
6524	bvtsncr.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Wine	RoamingEGIDAAFIEH.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Wine	explorti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Wine	RoamingDHJDAFIEHI.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Wine	axplong.exe

Loads dropped DLL 55 IoCs

pid	Process
2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
2648	cmd.exe
2616	RoamingDHJDAFIEHI.exe
2848	cmd.exe
2972	RoamingEGIDAAFIEH.exe
944	explorti.exe
944	explorti.exe
944	explorti.exe
944	explorti.exe
1392	axplong.exe
3484	build.exe
1492	stub.exe
1392	axplong.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
1392	axplong.exe
1392	axplong.exe
3836	WerFault.exe
3836	WerFault.exe
3836	WerFault.exe
1392	axplong.exe
1392	axplong.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
1392	axplong.exe
1392	axplong.exe
1392	axplong.exe
1392	axplong.exe
1392	axplong.exe
3664	WerFault.exe
3664	WerFault.exe
3664	WerFault.exe
1392	axplong.exe
3652	pered.exe
1892	pered.exe
1892	pered.exe
1892	pered.exe
1892	pered.exe
1892	pered.exe
1892	pered.exe
1892	pered.exe
1264	Process not Found
1264	Process not Found
1392	axplong.exe
1800	2020.exe
3400	2020.exe
1392	axplong.exe
1264	Process not Found
1392	axplong.exe
3916	cmd.exe
1392	axplong.exe
3584	ldx111.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\5c1652fdc7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002001\\5c1652fdc7.exe"	explorti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\46c495a478.exe = "C:\\Users\\Admin\\1000003002\\46c495a478.exe"	explorti.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2616	RoamingDHJDAFIEHI.exe
1392	axplong.exe
2972	RoamingEGIDAAFIEH.exe
944	explorti.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3584 set thread context of 6400	3584	ldx111.exe	99

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	RoamingDHJDAFIEHI.exe
File created	C:\Windows\Tasks\explorti.job	RoamingEGIDAAFIEH.exe
File created	C:\Windows\Tasks\Test Task17.job	lofsawd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000600000001a84d-744.dat	pyinstaller
behavioral1/files/0x000400000001ccb1-889.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2956	3672	WerFault.exe	67
3836	3504	WerFault.exe	69
2968	3840	WerFault.exe	72
3664	3240	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingDHJDAFIEHI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c1652fdc7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25072023.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingEGIDAAFIEH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5447jsX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ck3rr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46c495a478.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lofsawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldx111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvtsncr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2872	timeout.exe
2188	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	25072023.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	25072023.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	axplong.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
2616	RoamingDHJDAFIEHI.exe
1392	axplong.exe
2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
2972	RoamingEGIDAAFIEH.exe
944	explorti.exe
2796	chrome.exe
2796	chrome.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
1684	25072023.exe
3476	4ck3rr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	firefox.exe
Token: SeDebugPrivilege	2080	firefox.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2616	RoamingDHJDAFIEHI.exe
2972	RoamingEGIDAAFIEH.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2080	firefox.exe
2080	firefox.exe
2080	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2648	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	32
PID 2528 wrote to memory of 2648	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	32
PID 2528 wrote to memory of 2648	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	32
PID 2528 wrote to memory of 2648	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	32
PID 2648 wrote to memory of 2616	2648	cmd.exe	34
PID 2648 wrote to memory of 2616	2648	cmd.exe	34
PID 2648 wrote to memory of 2616	2648	cmd.exe	34
PID 2648 wrote to memory of 2616	2648	cmd.exe	34
PID 2616 wrote to memory of 1392	2616	RoamingDHJDAFIEHI.exe	35
PID 2616 wrote to memory of 1392	2616	RoamingDHJDAFIEHI.exe	35
PID 2616 wrote to memory of 1392	2616	RoamingDHJDAFIEHI.exe	35
PID 2616 wrote to memory of 1392	2616	RoamingDHJDAFIEHI.exe	35
PID 2528 wrote to memory of 2848	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	36
PID 2528 wrote to memory of 2848	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	36
PID 2528 wrote to memory of 2848	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	36
PID 2528 wrote to memory of 2848	2528	10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe	36
PID 2848 wrote to memory of 2972	2848	cmd.exe	38
PID 2848 wrote to memory of 2972	2848	cmd.exe	38
PID 2848 wrote to memory of 2972	2848	cmd.exe	38
PID 2848 wrote to memory of 2972	2848	cmd.exe	38
PID 2972 wrote to memory of 944	2972	RoamingEGIDAAFIEH.exe	39
PID 2972 wrote to memory of 944	2972	RoamingEGIDAAFIEH.exe	39
PID 2972 wrote to memory of 944	2972	RoamingEGIDAAFIEH.exe	39
PID 2972 wrote to memory of 944	2972	RoamingEGIDAAFIEH.exe	39
PID 944 wrote to memory of 1536	944	explorti.exe	41
PID 944 wrote to memory of 1536	944	explorti.exe	41
PID 944 wrote to memory of 1536	944	explorti.exe	41
PID 944 wrote to memory of 1536	944	explorti.exe	41
PID 944 wrote to memory of 2248	944	explorti.exe	42
PID 944 wrote to memory of 2248	944	explorti.exe	42
PID 944 wrote to memory of 2248	944	explorti.exe	42
PID 944 wrote to memory of 2248	944	explorti.exe	42
PID 2248 wrote to memory of 3060	2248	46c495a478.exe	59
PID 2248 wrote to memory of 3060	2248	46c495a478.exe	59
PID 2248 wrote to memory of 3060	2248	46c495a478.exe	59
PID 2248 wrote to memory of 3060	2248	46c495a478.exe	59
PID 3060 wrote to memory of 2796	3060	cmd.exe	45
PID 3060 wrote to memory of 2796	3060	cmd.exe	45
PID 3060 wrote to memory of 2796	3060	cmd.exe	45
PID 3060 wrote to memory of 2936	3060	cmd.exe	46
PID 3060 wrote to memory of 2936	3060	cmd.exe	46
PID 3060 wrote to memory of 2936	3060	cmd.exe	46
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2936 wrote to memory of 2080	2936	firefox.exe	47
PID 2796 wrote to memory of 2940	2796	chrome.exe	48
PID 2796 wrote to memory of 2940	2796	chrome.exe	48
PID 2796 wrote to memory of 2940	2796	chrome.exe	48
PID 2080 wrote to memory of 2432	2080	firefox.exe	50
PID 2080 wrote to memory of 2432	2080	firefox.exe	50
PID 2080 wrote to memory of 2432	2080	firefox.exe	50
PID 2080 wrote to memory of 1916	2080	firefox.exe	51
PID 2080 wrote to memory of 1916	2080	firefox.exe	51
PID 2080 wrote to memory of 1916	2080	firefox.exe	51
PID 2080 wrote to memory of 1916	2080	firefox.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe
"C:\Users\Admin\AppData\Local\Temp\10db0258fb84c3d7ee659a64eda64c552f234e7377adac19af9bb2fb117b120a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingDHJDAFIEHI.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\RoamingDHJDAFIEHI.exe
    "C:\Users\Admin\AppData\RoamingDHJDAFIEHI.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:1392
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\onefile_3484_133664203370507000\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 108
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 64
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3836
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3840
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 64
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"
        5⤵
        Executes dropped EXE
        
        PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\svhosts.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\svhosts.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 64
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3652
      - C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\1000013001\4ck3rr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000013001\4ck3rr.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe"
        5⤵
        Executes dropped EXE
        
        PID:3032
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
        6⤵
        Loads dropped DLL
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        7⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\1000016001\ldx111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000016001\ldx111.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 10
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 10
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 10
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2188
      - C:\Users\Admin\AppData\Local\Temp\1000016001\ldx111.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000016001\ldx111.exe"
        6⤵
        Executes dropped EXE
        
        PID:6400
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\RoamingEGIDAAFIEH.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\RoamingEGIDAAFIEH.exe
    "C:\Users\Admin\AppData\RoamingEGIDAAFIEH.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\5c1652fdc7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\5c1652fdc7.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
    - - C:\Users\Admin\1000003002\46c495a478.exe
        
        "C:\Users\Admin\1000003002\46c495a478.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83B.tmp\83C.tmp\83D.bat C:\Users\Admin\1000003002\46c495a478.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6729758,0x7fef6729768,0x7fef6729778
        8⤵
        
        PID:2940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1384,i,17480672592299963125,7328302454912856409,131072 /prefetch:2
        8⤵
        
        PID:1144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1384,i,17480672592299963125,7328302454912856409,131072 /prefetch:8
        8⤵
        
        PID:1812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1384,i,17480672592299963125,7328302454912856409,131072 /prefetch:8
        8⤵
        
        PID:2532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1384,i,17480672592299963125,7328302454912856409,131072 /prefetch:1
        8⤵
        
        PID:1228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2216 --field-trial-handle=1384,i,17480672592299963125,7328302454912856409,131072 /prefetch:1
        8⤵
        
        PID:1744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2948 --field-trial-handle=1384,i,17480672592299963125,7328302454912856409,131072 /prefetch:1
        8⤵
        
        PID:3900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2992 --field-trial-handle=1384,i,17480672592299963125,7328302454912856409,131072 /prefetch:2
        8⤵
        
        PID:3920
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.0.1094158603\1305299005" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1128 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fee875db-3f3b-4a3f-81d9-ef9730cebb88} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1292 108f7c58 gpu
        9⤵
        
        PID:2432
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.1.817789852\708973087" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78b8bdfe-278a-4dc0-9fd2-c7c48f2f1b29} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1516 40f2858 socket
        9⤵
        
        PID:1916
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.2.2094341937\582456437" -childID 1 -isForBrowser -prefsHandle 2008 -prefMapHandle 1852 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68dc6d42-54e6-477a-87bb-5e733a56ce2b} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2064 18782858 tab
        9⤵
        
        PID:2700
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.3.545639526\846381648" -childID 2 -isForBrowser -prefsHandle 2608 -prefMapHandle 2604 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d354ea3-bae2-4391-9312-b875a4cb2ca1} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2624 d68758 tab
        9⤵
        
        PID:3060
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.4.812471210\1404048998" -childID 3 -isForBrowser -prefsHandle 3552 -prefMapHandle 3748 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38deb707-7eac-4096-8ef6-0d8a87349012} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3852 20416b58 tab
        9⤵
        
        PID:3948
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.5.1253312724\57295296" -childID 4 -isForBrowser -prefsHandle 3952 -prefMapHandle 3956 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afa96214-6ad4-4489-a959-eb3306450764} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3940 20988258 tab
        9⤵
        
        PID:3956
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.6.1366608890\1537483664" -childID 5 -isForBrowser -prefsHandle 4120 -prefMapHandle 4124 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 652 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {601a9a8b-27ff-4205-b8b9-8d11b4388007} 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 4108 20988e58 tab
        9⤵
        
        PID:3968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2068

C:\Windows\system32\taskeng.exe
taskeng.exe {8C4CAF5C-FCE8-4609-A1A4-78EC8C0D8D8B} S-1-5-21-2660163958-4080398480-1122754539-1000:FCNAHWEI\Admin:Interactive:[1]
1⤵
PID:6492
- C:\ProgramData\bgmbng\bvtsncr.exe
  C:\ProgramData\bgmbng\bvtsncr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion