amadey | 2c41808826974a0fdd3c7b27850143cad077a79e0cf69c011da495d6abee679a

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2V4056.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	defnur.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1w92M4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2968-1396-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1394-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1400-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1401-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1399-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1398-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1397-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1393-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig
behavioral1/memory/2968-1403-0x0000000140000000-0x00000001408F7000-memory.dmp	xmrig

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 3 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1660	chrome.exe
2520	chrome.exe
3928	chrome.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	defnur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1w92M4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2V4056.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	defnur.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1w92M4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2V4056.exe

Executes dropped EXE 8 IoCs

pid	Process
2144	defnur.exe
1700	game.exe
2496	t6i26.exe
1488	P2Q98.exe
2356	1w92M4.exe
2672	skotes.exe
2580	2V4056.exe
712	r5mqFEC.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	2V4056.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	defnur.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	1w92M4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	skotes.exe

Loads dropped DLL 18 IoCs

pid	Process
2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
2144	defnur.exe
1700	game.exe
1700	game.exe
2496	t6i26.exe
2496	t6i26.exe
1488	P2Q98.exe
1488	P2Q98.exe
1488	P2Q98.exe
2356	1w92M4.exe
2356	1w92M4.exe
2356	1w92M4.exe
2672	skotes.exe
1488	P2Q98.exe
2580	2V4056.exe
2672	skotes.exe
2672	skotes.exe
712	r5mqFEC.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	game.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	t6i26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	P2Q98.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001c8c8-1176.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3564	tasklist.exe
3684	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
2144	defnur.exe
2356	1w92M4.exe
2672	skotes.exe
2580	2V4056.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-1390-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1396-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1394-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1400-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1401-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1399-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1398-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1397-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1393-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1392-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1391-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1389-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1388-0x0000000140000000-0x00000001408F7000-memory.dmp	upx
behavioral1/memory/2968-1403-0x0000000140000000-0x00000001408F7000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\defnur.job	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
File created	C:\Windows\Tasks\skotes.job	1w92M4.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
316	2252	WerFault.exe	56
1580	568	WerFault.exe	100
4648	2204	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t6i26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r5mqFEC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P2Q98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1w92M4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2V4056.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3092	cmd.exe
3156	PING.EXE
3124	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2676	taskkill.exe
3096	taskkill.exe
2336	taskkill.exe
4064	taskkill.exe
2496	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3156	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
2144	defnur.exe
1796	chrome.exe
1796	chrome.exe
2356	1w92M4.exe
2672	skotes.exe
2580	2V4056.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe
Token: SeShutdownPrivilege	1796	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
2356	1w92M4.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe
1796	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2144	2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe	30
PID 2380 wrote to memory of 2144	2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe	30
PID 2380 wrote to memory of 2144	2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe	30
PID 2380 wrote to memory of 2144	2380	94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe	30
PID 1796 wrote to memory of 1916	1796	chrome.exe	33
PID 1796 wrote to memory of 1916	1796	chrome.exe	33
PID 1796 wrote to memory of 1916	1796	chrome.exe	33
PID 2144 wrote to memory of 1700	2144	defnur.exe	34
PID 2144 wrote to memory of 1700	2144	defnur.exe	34
PID 2144 wrote to memory of 1700	2144	defnur.exe	34
PID 2144 wrote to memory of 1700	2144	defnur.exe	34
PID 2144 wrote to memory of 1700	2144	defnur.exe	34
PID 2144 wrote to memory of 1700	2144	defnur.exe	34
PID 2144 wrote to memory of 1700	2144	defnur.exe	34
PID 1700 wrote to memory of 2496	1700	game.exe	86
PID 1700 wrote to memory of 2496	1700	game.exe	86
PID 1700 wrote to memory of 2496	1700	game.exe	86
PID 1700 wrote to memory of 2496	1700	game.exe	86
PID 1700 wrote to memory of 2496	1700	game.exe	86
PID 1700 wrote to memory of 2496	1700	game.exe	86
PID 1700 wrote to memory of 2496	1700	game.exe	86
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 316	1796	chrome.exe	57
PID 1796 wrote to memory of 1300	1796	chrome.exe	38
PID 1796 wrote to memory of 1300	1796	chrome.exe	38
PID 1796 wrote to memory of 1300	1796	chrome.exe	38
PID 1796 wrote to memory of 2192	1796	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
"C:\Users\Admin\AppData\Local\Temp\94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
  "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\10006070101\game.exe
    "C:\Users\Admin\AppData\Local\Temp\10006070101\game.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6i26.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t6i26.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\P2Q98.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\P2Q98.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1w92M4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1w92M4.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\1008757001\r5mqFEC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008757001\r5mqFEC.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\1008825001\boARaXv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008825001\boARaXv.exe"
        8⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\1008835001\0fVlNye.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008835001\0fVlNye.exe"
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
        9⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:3564
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        10⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        
        PID:3684
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        10⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 29442
        10⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
        10⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        
        Reynolds.com l
        10⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        
        C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        11⤵
        
        PID:1660
        
        C:\Windows\explorer.exe
        
        explorer.exe
        12⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        10⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\1008836001\f5975b45f5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008836001\f5975b45f5.exe"
        8⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\1008837001\9e5240a0ff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008837001\9e5240a0ff.exe"
        8⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\1008838001\f7a9257d0d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008838001\f7a9257d0d.exe"
        8⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        9⤵
        Kills process with taskkill
        
        PID:4064
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        9⤵
        Kills process with taskkill
        
        PID:2496
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        9⤵
        Kills process with taskkill
        
        PID:2676
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        9⤵
        Kills process with taskkill
        
        PID:3096
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        9⤵
        Kills process with taskkill
        
        PID:2336
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        9⤵
        
        PID:1752
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        10⤵
        
        PID:2480
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.0.1548060174\741982204" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1244 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76615846-9a9e-4cec-ac57-94f03e8305e8} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 1384 4205c58 gpu
        11⤵
        
        PID:3504
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.1.93229630\1712368254" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9b05fab-de43-48c1-95fb-9b05df24972a} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 1560 42d2e58 socket
        11⤵
        
        PID:3560
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.2.279460113\305871277" -childID 1 -isForBrowser -prefsHandle 1996 -prefMapHandle 1992 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92f7c745-cb74-487f-bdd8-5dfbf8bbaafd} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 2008 18e8eb58 tab
        11⤵
        
        PID:3668
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.3.1383010740\1910163107" -childID 2 -isForBrowser -prefsHandle 820 -prefMapHandle 812 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4de26b79-5bf3-4105-9610-7d1a9c76e2a2} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 2636 2663c58 tab
        11⤵
        
        PID:3796
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.4.1635694104\577685896" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3736 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c456a9ad-9396-4f84-807d-6b46d775608f} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 3804 1f9a3f58 tab
        11⤵
        
        PID:2192
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.5.64607426\1552309581" -childID 4 -isForBrowser -prefsHandle 3932 -prefMapHandle 3832 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc356ef1-be5c-4552-98b4-fdf688859878} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 3920 1fbca258 tab
        11⤵
        
        PID:468
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.6.274210546\297367550" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3763241c-6759-4611-93ae-21c6f980b93c} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 4100 1fbc7e58 tab
        11⤵
        
        PID:1684
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.7.635395111\1566704118" -childID 6 -isForBrowser -prefsHandle 2344 -prefMapHandle 2360 -prefsLen 27496 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {952cfb3e-c26f-407f-8c64-c0b4b9ec387b} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 2348 4204458 tab
        11⤵
        
        PID:5108
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2480.8.10909025\48422212" -childID 7 -isForBrowser -prefsHandle 3128 -prefMapHandle 4288 -prefsLen 27496 -prefMapSize 233444 -jsInitHandle 624 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {01d56934-0e3b-4e13-9844-a1dcc9be6e0e} 2480 "\\.\pipe\gecko-crash-server-pipe.2480" 3644 2148eb58 tab
        11⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\1008839001\75caf2a5f6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008839001\75caf2a5f6.exe"
        8⤵
        
        PID:568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 792
        9⤵
        Program crash
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\1008840001\5aea242490.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1008840001\5aea242490.exe"
        8⤵
        
        PID:2204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        9⤵
        Uses browser remote debugging
        
        PID:1660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x7fef6a59758,0x7fef6a59768,0x7fef6a59778
        10⤵
        
        PID:3576
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        10⤵
        
        PID:2568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1372,i,2388585127110619403,1721599029846846274,131072 /prefetch:2
        10⤵
        
        PID:3368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1372,i,2388585127110619403,1721599029846846274,131072 /prefetch:8
        10⤵
        
        PID:3204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1372,i,2388585127110619403,1721599029846846274,131072 /prefetch:8
        10⤵
        
        PID:3200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1372,i,2388585127110619403,1721599029846846274,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:2520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1372,i,2388585127110619403,1721599029846846274,131072 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:3928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1108 --field-trial-handle=1372,i,2388585127110619403,1721599029846846274,131072 /prefetch:2
        10⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        9⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 792
        9⤵
        Program crash
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V4056.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2V4056.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3V23A.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3V23A.exe
        5⤵
        
        PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4d869h.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4d869h.exe
      4⤵
      PID:2252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 796
        5⤵
        Program crash
        
        PID:316
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
    3⤵
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\10006390101\afbe999266.exe
    "C:\Users\Admin\AppData\Local\Temp\10006390101\afbe999266.exe"
    3⤵
    PID:1008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\kreon.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3092
    - - C:\Windows\system32\cmd.exe
        
        cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\kreon.exe"
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3124
      - C:\Windows\system32\PING.EXE
        
        ping localhost -n 1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
      - C:\Users\Admin\AppData\Local\kreon.exe
        
        C:\Users\Admin\AppData\Local\kreon.exe
        6⤵
        
        PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d39758,0x7fef6d39768,0x7fef6d39778
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:2
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:1
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1228 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1408 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1384,i,308567433868923330,3330938541399027993,131072 /prefetch:8
  2⤵
  PID:2120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2356

C:\Windows\system32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
1⤵
PID:3976

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4100

C:\Windows\system32\taskeng.exe
taskeng.exe {A4CC773B-C832-4791-8E2A-195844AD5966} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
PID:4716
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Modify Authentication Process

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion