amadey | 8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5d60497ec0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5d60497ec0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	4o587L.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4o587L.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	4o587L.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4o587L.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5d60497ec0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5d60497ec0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5d60497ec0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4o587L.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4o587L.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d29a5547d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4o587L.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f0ac6eb56.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5d60497ec0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a846bc2230.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1k74W5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2f4472.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3Y27V.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 12 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1968	chrome.exe
6280	chrome.exe
5148	msedge.exe
1872	msedge.exe
2904	chrome.exe
4548	chrome.exe
6624	chrome.exe
5864	msedge.exe
5860	msedge.exe
6736	msedge.exe
5476	chrome.exe
6268	chrome.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1k74W5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2f4472.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d29a5547d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5d60497ec0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2f4472.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3Y27V.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4o587L.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4o587L.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d29a5547d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5d60497ec0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a846bc2230.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3Y27V.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0f0ac6eb56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a846bc2230.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1k74W5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0f0ac6eb56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	1k74W5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	vvcWObH.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 15 IoCs

pid	Process
3652	e2q73.exe
3332	L0o66.exe
4636	1k74W5.exe
1752	skotes.exe
656	2f4472.exe
3540	vvcWObH.exe
5100	3Y27V.exe
3096	4o587L.exe
4524	0f0ac6eb56.exe
4012	d29a5547d3.exe
4676	c065e5281b.exe
4512	5d60497ec0.exe
6796	a846bc2230.exe
6656	skotes.exe
3668	skotes.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	1k74W5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	5d60497ec0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	0f0ac6eb56.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	d29a5547d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	a846bc2230.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	2f4472.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	3Y27V.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	4o587L.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4o587L.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4o587L.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5d60497ec0.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	L0o66.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f0ac6eb56.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011363001\\0f0ac6eb56.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d29a5547d3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011364001\\d29a5547d3.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c065e5281b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011365001\\c065e5281b.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5d60497ec0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011366001\\5d60497ec0.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	e2q73.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	api.myip.com
37	api.myip.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000b000000023c0c-154.dat	autoit_exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_adeb6424513f60a2\input.PNF	dxdiag.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF	dxdiag.exe
File created	\??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF	dxdiag.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
4636	1k74W5.exe
656	2f4472.exe
1752	skotes.exe
5100	3Y27V.exe
3096	4o587L.exe
4524	0f0ac6eb56.exe
4012	d29a5547d3.exe
4512	5d60497ec0.exe
6796	a846bc2230.exe
6656	skotes.exe
3668	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1k74W5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1088	656	WerFault.exe	87
3928	4524	WerFault.exe	109
2880	4524	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f0ac6eb56.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	c065e5281b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4o587L.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d60497ec0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f4472.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3Y27V.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d29a5547d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c065e5281b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a846bc2230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L0o66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	c065e5281b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2q73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1k74W5.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dxdiag.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	dxdiag.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
1144	taskkill.exe
6340	taskkill.exe
4420	taskkill.exe
2952	taskkill.exe
3028	taskkill.exe
1668	taskkill.exe
4892	taskkill.exe
4712	taskkill.exe
3280	taskkill.exe
5356	taskkill.exe
5832	taskkill.exe
5872	taskkill.exe

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{820042AB-2051-41D0-950F-1EDC9A591BB5}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045960512-3948844814-3059691613-1000\{89F5E59A-F0F5-4C7A-A657-35554C6FC897}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SYSTEM32\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4636	1k74W5.exe
4636	1k74W5.exe
656	2f4472.exe
656	2f4472.exe
1752	skotes.exe
1752	skotes.exe
3540	vvcWObH.exe
5100	3Y27V.exe
5100	3Y27V.exe
3096	4o587L.exe
3096	4o587L.exe
1588	dxdiag.exe
1588	dxdiag.exe
4524	0f0ac6eb56.exe
4524	0f0ac6eb56.exe
3096	4o587L.exe
3096	4o587L.exe
4012	d29a5547d3.exe
4012	d29a5547d3.exe
2904	chrome.exe
2904	chrome.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4512	5d60497ec0.exe
4512	5d60497ec0.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4512	5d60497ec0.exe
4512	5d60497ec0.exe
4512	5d60497ec0.exe
5476	chrome.exe
5476	chrome.exe
6796	a846bc2230.exe
6796	a846bc2230.exe
5392	msedge.exe
5392	msedge.exe
5360	msedge.exe
5360	msedge.exe
5640	msedge.exe
5640	msedge.exe
5148	msedge.exe
5148	msedge.exe
5864	msedge.exe
5864	msedge.exe
5860	msedge.exe
5860	msedge.exe
1872	msedge.exe
1872	msedge.exe
6736	msedge.exe
6736	msedge.exe
6656	skotes.exe
6656	skotes.exe
3668	skotes.exe
3668	skotes.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	vvcWObH.exe
Token: SeIncreaseQuotaPrivilege	3352	WMIC.exe
Token: SeSecurityPrivilege	3352	WMIC.exe
Token: SeTakeOwnershipPrivilege	3352	WMIC.exe
Token: SeLoadDriverPrivilege	3352	WMIC.exe
Token: SeSystemProfilePrivilege	3352	WMIC.exe
Token: SeSystemtimePrivilege	3352	WMIC.exe
Token: SeProfSingleProcessPrivilege	3352	WMIC.exe
Token: SeIncBasePriorityPrivilege	3352	WMIC.exe
Token: SeCreatePagefilePrivilege	3352	WMIC.exe
Token: SeBackupPrivilege	3352	WMIC.exe
Token: SeRestorePrivilege	3352	WMIC.exe
Token: SeShutdownPrivilege	3352	WMIC.exe
Token: SeDebugPrivilege	3352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3352	WMIC.exe
Token: SeRemoteShutdownPrivilege	3352	WMIC.exe
Token: SeUndockPrivilege	3352	WMIC.exe
Token: SeManageVolumePrivilege	3352	WMIC.exe
Token: 33	3352	WMIC.exe
Token: 34	3352	WMIC.exe
Token: 35	3352	WMIC.exe
Token: 36	3352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3352	WMIC.exe
Token: SeSecurityPrivilege	3352	WMIC.exe
Token: SeTakeOwnershipPrivilege	3352	WMIC.exe
Token: SeLoadDriverPrivilege	3352	WMIC.exe
Token: SeSystemProfilePrivilege	3352	WMIC.exe
Token: SeSystemtimePrivilege	3352	WMIC.exe
Token: SeProfSingleProcessPrivilege	3352	WMIC.exe
Token: SeIncBasePriorityPrivilege	3352	WMIC.exe
Token: SeCreatePagefilePrivilege	3352	WMIC.exe
Token: SeBackupPrivilege	3352	WMIC.exe
Token: SeRestorePrivilege	3352	WMIC.exe
Token: SeShutdownPrivilege	3352	WMIC.exe
Token: SeDebugPrivilege	3352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3352	WMIC.exe
Token: SeRemoteShutdownPrivilege	3352	WMIC.exe
Token: SeUndockPrivilege	3352	WMIC.exe
Token: SeManageVolumePrivilege	3352	WMIC.exe
Token: 33	3352	WMIC.exe
Token: 34	3352	WMIC.exe
Token: 35	3352	WMIC.exe
Token: 36	3352	WMIC.exe
Token: SeDebugPrivilege	3096	4o587L.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	3780	firefox.exe
Token: SeDebugPrivilege	3780	firefox.exe
Token: SeDebugPrivilege	5356	taskkill.exe
Token: SeDebugPrivilege	4512	5d60497ec0.exe
Token: SeShutdownPrivilege	5476	chrome.exe
Token: SeCreatePagefilePrivilege	5476	chrome.exe
Token: SeShutdownPrivilege	5476	chrome.exe
Token: SeCreatePagefilePrivilege	5476	chrome.exe
Token: SeShutdownPrivilege	5476	chrome.exe
Token: SeCreatePagefilePrivilege	5476	chrome.exe
Token: SeShutdownPrivilege	5476	chrome.exe
Token: SeCreatePagefilePrivilege	5476	chrome.exe
Token: SeShutdownPrivilege	5476	chrome.exe
Token: SeCreatePagefilePrivilege	5476	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
2904	chrome.exe
4676	c065e5281b.exe
2904	chrome.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
5476	chrome.exe
5476	chrome.exe
5148	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
3780	firefox.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe
4676	c065e5281b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1588	dxdiag.exe
3780	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3652	2940	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe	83
PID 2940 wrote to memory of 3652	2940	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe	83
PID 2940 wrote to memory of 3652	2940	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe	83
PID 3652 wrote to memory of 3332	3652	e2q73.exe	84
PID 3652 wrote to memory of 3332	3652	e2q73.exe	84
PID 3652 wrote to memory of 3332	3652	e2q73.exe	84
PID 3332 wrote to memory of 4636	3332	L0o66.exe	85
PID 3332 wrote to memory of 4636	3332	L0o66.exe	85
PID 3332 wrote to memory of 4636	3332	L0o66.exe	85
PID 4636 wrote to memory of 1752	4636	1k74W5.exe	86
PID 4636 wrote to memory of 1752	4636	1k74W5.exe	86
PID 4636 wrote to memory of 1752	4636	1k74W5.exe	86
PID 3332 wrote to memory of 656	3332	L0o66.exe	87
PID 3332 wrote to memory of 656	3332	L0o66.exe	87
PID 3332 wrote to memory of 656	3332	L0o66.exe	87
PID 1752 wrote to memory of 3540	1752	skotes.exe	97
PID 1752 wrote to memory of 3540	1752	skotes.exe	97
PID 3540 wrote to memory of 2388	3540	vvcWObH.exe	101
PID 3540 wrote to memory of 2388	3540	vvcWObH.exe	101
PID 2388 wrote to memory of 3352	2388	cmd.exe	103
PID 2388 wrote to memory of 3352	2388	cmd.exe	103
PID 3652 wrote to memory of 5100	3652	e2q73.exe	104
PID 3652 wrote to memory of 5100	3652	e2q73.exe	104
PID 3652 wrote to memory of 5100	3652	e2q73.exe	104
PID 3540 wrote to memory of 1588	3540	vvcWObH.exe	105
PID 3540 wrote to memory of 1588	3540	vvcWObH.exe	105
PID 2940 wrote to memory of 3096	2940	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe	106
PID 2940 wrote to memory of 3096	2940	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe	106
PID 2940 wrote to memory of 3096	2940	8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe	106
PID 1752 wrote to memory of 4524	1752	skotes.exe	109
PID 1752 wrote to memory of 4524	1752	skotes.exe	109
PID 1752 wrote to memory of 4524	1752	skotes.exe	109
PID 1752 wrote to memory of 4012	1752	skotes.exe	116
PID 1752 wrote to memory of 4012	1752	skotes.exe	116
PID 1752 wrote to memory of 4012	1752	skotes.exe	116
PID 1752 wrote to memory of 4676	1752	skotes.exe	117
PID 1752 wrote to memory of 4676	1752	skotes.exe	117
PID 1752 wrote to memory of 4676	1752	skotes.exe	117
PID 4676 wrote to memory of 4712	4676	c065e5281b.exe	123
PID 4676 wrote to memory of 4712	4676	c065e5281b.exe	123
PID 4676 wrote to memory of 4712	4676	c065e5281b.exe	123
PID 3540 wrote to memory of 3280	3540	vvcWObH.exe	125
PID 3540 wrote to memory of 3280	3540	vvcWObH.exe	125
PID 3540 wrote to memory of 2904	3540	vvcWObH.exe	127
PID 3540 wrote to memory of 2904	3540	vvcWObH.exe	127
PID 2904 wrote to memory of 3652	2904	chrome.exe	128
PID 2904 wrote to memory of 3652	2904	chrome.exe	128
PID 2904 wrote to memory of 2120	2904	chrome.exe	129
PID 2904 wrote to memory of 2120	2904	chrome.exe	129
PID 2904 wrote to memory of 3592	2904	chrome.exe	130
PID 2904 wrote to memory of 3592	2904	chrome.exe	130
PID 2904 wrote to memory of 3156	2904	chrome.exe	131
PID 2904 wrote to memory of 3156	2904	chrome.exe	131
PID 2904 wrote to memory of 4548	2904	chrome.exe	132
PID 2904 wrote to memory of 4548	2904	chrome.exe	132
PID 2904 wrote to memory of 1968	2904	chrome.exe	133
PID 2904 wrote to memory of 1968	2904	chrome.exe	133
PID 4676 wrote to memory of 4420	4676	c065e5281b.exe	134
PID 4676 wrote to memory of 4420	4676	c065e5281b.exe	134
PID 4676 wrote to memory of 4420	4676	c065e5281b.exe	134
PID 4676 wrote to memory of 2952	4676	c065e5281b.exe	138
PID 4676 wrote to memory of 2952	4676	c065e5281b.exe	138
PID 4676 wrote to memory of 2952	4676	c065e5281b.exe	138
PID 4676 wrote to memory of 3028	4676	c065e5281b.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe
"C:\Users\Admin\AppData\Local\Temp\8896bb6c5d1a3e0afae8143e4520676f72feae12c7b23b600e7b689d5e7c54a2N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2q73.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2q73.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\L0o66.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\L0o66.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1k74W5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1k74W5.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c wmic path win32_videocontroller get caption
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_videocontroller get caption
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3352
        
        C:\Windows\SYSTEM32\dxdiag.exe
        
        "dxdiag" /t C:\Users\Admin\AppData\Local\Temp\dxdiag.txt
        7⤵
        Drops file in System32 directory
        Checks SCSI registry key(s)
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=16630 --profile-directory="Default" --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb384bcc40,0x7ffb384bcc4c,0x7ffb384bcc58
        8⤵
        
        PID:3652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1748,i,2272495318656064496,11189506106874561400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1740 /prefetch:2
        8⤵
        
        PID:2120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1880,i,2272495318656064496,11189506106874561400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:3
        8⤵
        
        PID:3592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2032,i,2272495318656064496,11189506106874561400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:8
        8⤵
        
        PID:3156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=16630 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2904,i,2272495318656064496,11189506106874561400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2924 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=16630 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2940,i,2272495318656064496,11189506106874561400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2964 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1968
        
        C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill" /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe" --remote-debugging-port=13817 --profile-directory="Default" --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb23b2cc40,0x7ffb23b2cc4c,0x7ffb23b2cc58
        8⤵
        
        PID:5492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1832,i,9182300557105319082,10962612480020825465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
        8⤵
        
        PID:5916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --no-appcompat-clear --field-trial-handle=1844,i,9182300557105319082,10962612480020825465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:3
        8⤵
        
        PID:5924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --no-appcompat-clear --field-trial-handle=2116,i,9182300557105319082,10962612480020825465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:8
        8⤵
        
        PID:5984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=13817 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2936,i,9182300557105319082,10962612480020825465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2952 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=13817 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2956,i,9182300557105319082,10962612480020825465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2976 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --no-sandbox --remote-debugging-port=13817 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4092,i,9182300557105319082,10962612480020825465,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4076 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6624
        
        C:\Windows\SYSTEM32\taskkill.exe
        
        "taskkill" /F /IM msedge.exe
        7⤵
        Kills process with taskkill
        
        PID:4892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:/Program Files (x86)/Microsoft/Edge/Application/msedge.exe" --remote-debugging-port=11986 --profile-directory="Default" --remote-allow-origins=* --window-position=10000,10000 --window-size=1,1 --disable-gpu --no-sandbox
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb231446f8,0x7ffb23144708,0x7ffb23144718
        8⤵
        
        PID:5164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3371283286643708990,9217412396627180900,131072 --no-sandbox --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2096 /prefetch:2
        8⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3371283286643708990,9217412396627180900,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2148 /prefetch:3
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3371283286643708990,9217412396627180900,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2628 /prefetch:8
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=11986 --field-trial-handle=2084,3371283286643708990,9217412396627180900,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:5860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=11986 --field-trial-handle=2084,3371283286643708990,9217412396627180900,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:5864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=11986 --field-trial-handle=2084,3371283286643708990,9217412396627180900,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:6736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --remote-debugging-port=11986 --field-trial-handle=2084,3371283286643708990,9217412396627180900,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
        8⤵
        Uses browser remote debugging
        Suspicious behavior: EnumeratesProcesses
        
        PID:1872
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM firefox.exe
        7⤵
        
        PID:3284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM firefox.exe
        8⤵
        Kills process with taskkill
        
        PID:5832
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM firefox.exe
        7⤵
        
        PID:5128
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM firefox.exe
        8⤵
        Kills process with taskkill
        
        PID:5872
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM Firefox.exe
        7⤵
        
        PID:5620
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Firefox.exe
        8⤵
        Kills process with taskkill
        
        PID:1144
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C taskkill /F /IM Firefox.exe
        7⤵
        
        PID:6060
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM Firefox.exe
        8⤵
        Kills process with taskkill
        
        PID:6340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"
        7⤵
        
        PID:6120
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 1
        8⤵
        
        PID:6568
      - C:\Users\Admin\AppData\Local\Temp\1011363001\0f0ac6eb56.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011363001\0f0ac6eb56.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1684
        7⤵
        Program crash
        
        PID:3928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1680
        7⤵
        Program crash
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\1011364001\d29a5547d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011364001\d29a5547d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\1011365001\c065e5281b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011365001\c065e5281b.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:784
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3e0e004-9259-42d7-b0aa-fb3225accb8b} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" gpu
        9⤵
        
        PID:5048
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07d77683-04fa-473e-89de-7e59c6a2fba2} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" socket
        9⤵
        
        PID:3928
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3292 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b28e24d6-734a-4ed5-837f-ef7a313d27a7} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" tab
        9⤵
        
        PID:492
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3900 -childID 2 -isForBrowser -prefsHandle 2960 -prefMapHandle 3888 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d163c454-dd34-4e4a-af5e-24f0efe0a8a2} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" tab
        9⤵
        
        PID:2132
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4420 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4596 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04609ec6-78bc-4258-838a-d9dfe6100bf1} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" utility
        9⤵
        Checks processor information in registry
        
        PID:6148
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 4996 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e4d3c13-7f80-409d-b34d-ba5d59568ee5} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" tab
        9⤵
        
        PID:7132
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2181e9ee-bdfb-4743-92c5-65a53d1bcbe5} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" tab
        9⤵
        
        PID:7152
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5540 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99bea529-44ac-45b6-9bde-a5f207d63bdc} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" tab
        9⤵
        
        PID:7164
      - C:\Users\Admin\AppData\Local\Temp\1011366001\5d60497ec0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011366001\5d60497ec0.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\1011367001\a846bc2230.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011367001\a846bc2230.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2f4472.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2f4472.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1708
        5⤵
        Program crash
        
        PID:1088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Y27V.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Y27V.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4o587L.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4o587L.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Windows security modification
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 656 -ip 656
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4524 -ip 4524
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4524 -ip 4524
1⤵
PID:2624

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2100

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6656

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion