amadey | ced416c4e61e9d2ac5646c0ecf12a763e7767fd2f8507e74ceb2b6dfb9a0ae73

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9b084a59d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9b084a59d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9b084a59d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9b084a59d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9b084a59d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9b084a59d.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	a4f82d81c5.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EHIIIJDAAA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a4f82d81c5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rhnew.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d4ca59e7a8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GI59vO6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BhD8htX.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0cc835df23.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bc76a107bc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a9b084a59d.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1680	chrome.exe
1568	chrome.exe
1632	chrome.exe
1708	chrome.exe
2212	chrome.exe
2196	chrome.exe
2300	chrome.exe
2264	chrome.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a9b084a59d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GI59vO6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BhD8htX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a4f82d81c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EHIIIJDAAA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GI59vO6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cc835df23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a9b084a59d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a4f82d81c5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bc76a107bc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d4ca59e7a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EHIIIJDAAA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BhD8htX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cc835df23.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bc76a107bc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d4ca59e7a8.exe

Executes dropped EXE 12 IoCs

pid	Process
2216	EHIIIJDAAA.exe
1412	skotes.exe
1536	GI59vO6.exe
2676	4XYFk9r.exe
1840	BhD8htX.exe
1236	a4f82d81c5.exe
2644	rhnew.exe
2088	0cc835df23.exe
1172	bc76a107bc.exe
1360	d4ca59e7a8.exe
1512	7d5edb40a4.exe
3588	a9b084a59d.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	BhD8htX.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	a4f82d81c5.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	rhnew.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	EHIIIJDAAA.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	GI59vO6.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	0cc835df23.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	bc76a107bc.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	d4ca59e7a8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	a9b084a59d.exe

Loads dropped DLL 23 IoCs

pid	Process
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
1692	cmd.exe
1692	cmd.exe
2216	EHIIIJDAAA.exe
2216	EHIIIJDAAA.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
2676	4XYFk9r.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
1412	skotes.exe
2088	0cc835df23.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a9b084a59d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9b084a59d.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\bc76a107bc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012202001\\bc76a107bc.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\d4ca59e7a8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012203001\\d4ca59e7a8.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\7d5edb40a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012204001\\7d5edb40a4.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\a9b084a59d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012205001\\a9b084a59d.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000400000001d9d8-732.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
680	tasklist.exe
2816	tasklist.exe
408	tasklist.exe
2736	tasklist.exe
1896	tasklist.exe
3836	tasklist.exe
3544	tasklist.exe
660	tasklist.exe
3908	tasklist.exe
2728	tasklist.exe
3884	tasklist.exe
1488	tasklist.exe
3792	tasklist.exe
1512	tasklist.exe
108	tasklist.exe
3428	tasklist.exe
3456	tasklist.exe
3952	tasklist.exe
2184	tasklist.exe
3672	tasklist.exe
3752	tasklist.exe
2692	tasklist.exe
1896	tasklist.exe
3324	tasklist.exe
3812	tasklist.exe
3456	tasklist.exe
952	tasklist.exe
864	tasklist.exe
2388	tasklist.exe
4044	tasklist.exe
3104	tasklist.exe
4048	tasklist.exe
3432	tasklist.exe
3592	tasklist.exe
2804	tasklist.exe
2208	tasklist.exe
1780	tasklist.exe
1432	tasklist.exe
3508	tasklist.exe
2956	tasklist.exe
2764	tasklist.exe
3508	tasklist.exe
3632	tasklist.exe
2260	tasklist.exe
3908	tasklist.exe
3400	tasklist.exe
352	tasklist.exe
3748	tasklist.exe
3908	tasklist.exe
3552	tasklist.exe
3796	tasklist.exe
3952	tasklist.exe
3984	tasklist.exe
2164	tasklist.exe
1704	tasklist.exe
2428	tasklist.exe
1020	tasklist.exe
3452	tasklist.exe
3864	tasklist.exe
3420	tasklist.exe
3344	tasklist.exe
1516	tasklist.exe
2864	tasklist.exe
2840	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2216	EHIIIJDAAA.exe
1412	skotes.exe
1536	GI59vO6.exe
1840	BhD8htX.exe
1236	a4f82d81c5.exe
2644	rhnew.exe
2088	0cc835df23.exe
1172	bc76a107bc.exe
1360	d4ca59e7a8.exe
3588	a9b084a59d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	EHIIIJDAAA.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GI59vO6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc76a107bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4f82d81c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d5edb40a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9b084a59d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BhD8htX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	7d5edb40a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EHIIIJDAAA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cc835df23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4ca59e7a8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	7d5edb40a4.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 64 IoCs

pid	Process
3480	timeout.exe
2928	timeout.exe
3944	timeout.exe
3488	timeout.exe
3920	timeout.exe
2236	timeout.exe
4080	timeout.exe
3600	timeout.exe
2436	timeout.exe
796	timeout.exe
2184	timeout.exe
2416	timeout.exe
3088	timeout.exe
1520	timeout.exe
3452	timeout.exe
1536	timeout.exe
3568	timeout.exe
3304	timeout.exe
3928	timeout.exe
3088	timeout.exe
4012	timeout.exe
1976	timeout.exe
2904	timeout.exe
840	timeout.exe
2312	timeout.exe
3344	timeout.exe
2880	timeout.exe
2944	timeout.exe
1032	timeout.exe
4040	timeout.exe
3404	timeout.exe
3608	timeout.exe
4072	timeout.exe
3556	timeout.exe
2592	timeout.exe
1636	timeout.exe
484	timeout.exe
3688	timeout.exe
1668	timeout.exe
3304	timeout.exe
3728	timeout.exe
3372	timeout.exe
3920	timeout.exe
3884	timeout.exe
448	timeout.exe
3972	timeout.exe
876	timeout.exe
3816	timeout.exe
1408	timeout.exe
2392	timeout.exe
3568	timeout.exe
3780	timeout.exe
3488	timeout.exe
1572	timeout.exe
2184	timeout.exe
1660	timeout.exe
3356	timeout.exe
1392	timeout.exe
2272	timeout.exe
3408	timeout.exe
2348	timeout.exe
3968	timeout.exe
3532	timeout.exe
2840	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

pid	Process
2300	taskkill.exe
892	taskkill.exe
1264	taskkill.exe
2448	taskkill.exe
2636	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	BhD8htX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	BhD8htX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	BhD8htX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	BhD8htX.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2196	chrome.exe
2196	chrome.exe
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
1568	chrome.exe
1568	chrome.exe
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
2216	EHIIIJDAAA.exe
1412	skotes.exe
1536	GI59vO6.exe
2676	4XYFk9r.exe
2676	4XYFk9r.exe
2676	4XYFk9r.exe
1840	BhD8htX.exe
1236	a4f82d81c5.exe
1236	a4f82d81c5.exe
1236	a4f82d81c5.exe
1236	a4f82d81c5.exe
1236	a4f82d81c5.exe
1236	a4f82d81c5.exe
2644	rhnew.exe
2088	0cc835df23.exe
1172	bc76a107bc.exe
1360	d4ca59e7a8.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
3588	a9b084a59d.exe
3588	a9b084a59d.exe
3588	a9b084a59d.exe
3588	a9b084a59d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	2196	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeShutdownPrivilege	1568	chrome.exe
Token: SeDebugPrivilege	2676	4XYFk9r.exe
Token: SeDebugPrivilege	1120	tasklist.exe
Token: SeDebugPrivilege	680	tasklist.exe
Token: SeDebugPrivilege	2816	tasklist.exe
Token: SeDebugPrivilege	952	tasklist.exe
Token: SeDebugPrivilege	1648	tasklist.exe
Token: SeDebugPrivilege	2428	tasklist.exe
Token: SeDebugPrivilege	1204	tasklist.exe
Token: SeDebugPrivilege	1516	tasklist.exe
Token: SeDebugPrivilege	2804	tasklist.exe
Token: SeDebugPrivilege	1020	tasklist.exe
Token: SeDebugPrivilege	2012	tasklist.exe
Token: SeDebugPrivilege	408	tasklist.exe
Token: SeDebugPrivilege	2864	tasklist.exe
Token: SeDebugPrivilege	2392	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	1896	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	2252	tasklist.exe
Token: SeDebugPrivilege	352	tasklist.exe
Token: SeDebugPrivilege	1512	tasklist.exe
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	864	tasklist.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	1896	tasklist.exe
Token: SeDebugPrivilege	2764	tasklist.exe
Token: SeDebugPrivilege	812	tasklist.exe
Token: SeDebugPrivilege	108	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	328	tasklist.exe
Token: SeDebugPrivilege	604	tasklist.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1264	taskkill.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	2252	firefox.exe
Token: SeDebugPrivilege	2252	firefox.exe
Token: SeDebugPrivilege	1780	tasklist.exe
Token: SeDebugPrivilege	3324	tasklist.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2196	chrome.exe
1568	chrome.exe
2216	EHIIIJDAAA.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
2252	firefox.exe
2252	firefox.exe
2252	firefox.exe
2252	firefox.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
2252	firefox.exe
2252	firefox.exe
2252	firefox.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe
1512	7d5edb40a4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2196	2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe	31
PID 2112 wrote to memory of 2196	2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe	31
PID 2112 wrote to memory of 2196	2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe	31
PID 2112 wrote to memory of 2196	2112	c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe	31
PID 2196 wrote to memory of 2856	2196	chrome.exe	32
PID 2196 wrote to memory of 2856	2196	chrome.exe	32
PID 2196 wrote to memory of 2856	2196	chrome.exe	32
PID 2196 wrote to memory of 2452	2196	chrome.exe	33
PID 2196 wrote to memory of 2452	2196	chrome.exe	33
PID 2196 wrote to memory of 2452	2196	chrome.exe	33
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2252	2196	chrome.exe	35
PID 2196 wrote to memory of 2956	2196	chrome.exe	36
PID 2196 wrote to memory of 2956	2196	chrome.exe	36
PID 2196 wrote to memory of 2956	2196	chrome.exe	36
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37
PID 2196 wrote to memory of 1096	2196	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe
"C:\Users\Admin\AppData\Local\Temp\c006fc45ccd90fd47319f6aa0ee4694d8b17e4fd35b237ada54db1cc649b0367.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7309758,0x7fef7309768,0x7fef7309778
    3⤵
    PID:2856
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:2
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:8
    3⤵
    PID:2956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:8
    3⤵
    PID:1096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2476 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2484 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1612 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:2
    3⤵
    PID:1716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 --field-trial-handle=1360,i,421704711659222504,13317946633645560201,131072 /prefetch:8
    3⤵
    PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef63b9758,0x7fef63b9768,0x7fef63b9778
    3⤵
    PID:316
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:2
    3⤵
    PID:1932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:8
    3⤵
    PID:2996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:8
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2416 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2732 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2752 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1152 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:2
    3⤵
    PID:2264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1272,i,8170887170249128748,2260712797491795042,131072 /prefetch:8
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\EHIIIJDAAA.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1692
- - C:\Users\Admin\Documents\EHIIIJDAAA.exe
    "C:\Users\Admin\Documents\EHIIIJDAAA.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
    - - C:\Users\Admin\AppData\Local\Temp\1011944001\4XYFk9r.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011944001\4XYFk9r.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7677.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7677.tmp.bat
        6⤵
        
        PID:288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2612
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1464
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2672
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1520
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:660
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2184
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:840
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:1692
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1732
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1976
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2196
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:236
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2592
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2272
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1532
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1636
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2624
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2808
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1672
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2944
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2880
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1472
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2184
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1644
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1660
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2380
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2920
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2788
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2792
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1912
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1032
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1700
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:1968
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1872
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1408
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2472
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:876
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2568
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:1672
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3008
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:840
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1648
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:1856
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2920
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2904
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2444
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2416
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:484
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1536
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1920
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2236
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1784
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2348
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2648
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:1408
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:352
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2624
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1436
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2312
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2656
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2392
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2444
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:484
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2904
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2164
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3332
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3372
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3452
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3488
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3500
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3508
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3568
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3724
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3732
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3760
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3836
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3844
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3872
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3884
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3892
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3920
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3932
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3940
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3968
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3992
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:4000
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:4032
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:4044
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:4052
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:4080
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3104
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3216
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3304
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3320
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2164
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3344
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3324
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3332
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3408
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3428
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3432
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3480
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3456
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3532
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3544
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3556
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3512
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3508
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3548
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3568
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3748
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3744
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3780
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3812
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3824
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3868
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3864
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3856
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3872
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3908
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3904
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3920
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3952
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3936
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3928
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:4028
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:4024
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:4040
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:660
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2816
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2928
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:2184
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:864
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2840
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3332
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3404
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3424
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3428
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3608
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3628
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3656
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3672
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3680
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3708
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3592
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3464
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3452
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3552
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3560
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3600
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3756
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3776
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3728
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3796
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3788
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3816
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3812
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2584
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3836
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:2260
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:996
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3884
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3908
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3904
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3944
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3952
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3936
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:4016
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:4028
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:4024
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:4072
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:4048
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:4056
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2212
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:1488
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1988
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:4040
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:1432
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1572
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2880
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3984
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3988
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3088
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:2300
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3232
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3304
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:2164
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3340
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3384
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3420
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3416
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3476
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3444
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2788
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2436
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3432
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3428
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3640
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3632
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3688
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3672
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3680
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3488
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3592
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3464
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:448
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3456
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3720
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3556
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3508
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3576
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3568
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3752
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3728
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3796
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3792
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3832
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3824
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:2584
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1252
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3872
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:2260
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:996
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3920
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3908
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3904
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3972
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:2236
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3996
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:4012
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:4024
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2848
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:4088
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:4048
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:4056
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:2836
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:2956
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1572
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3100
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:1172
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3088
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        
        PID:3308
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3216
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:3356
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3344
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:3316
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        
        PID:3324
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:3400
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:696
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:1392
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:2692
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2336
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:796
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2676"
        7⤵
        Enumerates processes with tasklist
        
        PID:1704
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:2296
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\1012195001\a4f82d81c5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012195001\a4f82d81c5.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\1012200001\rhnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012200001\rhnew.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\1012201001\0cc835df23.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012201001\0cc835df23.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\1012202001\bc76a107bc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012202001\bc76a107bc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\1012203001\d4ca59e7a8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012203001\d4ca59e7a8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\1012204001\7d5edb40a4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012204001\7d5edb40a4.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1512
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:236
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2252
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.0.1307285514\1404607519" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1244 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c348f74-f126-4608-a925-6b03be4ec94c} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 1348 100d3d58 gpu
        8⤵
        
        PID:1232
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.1.1884701206\34514109" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f3beb3e-3233-4107-99bf-59c0bac856d0} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 1544 41eb258 socket
        8⤵
        
        PID:2412
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.2.332332992\1680277050" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3db538e5-2f8b-4f6d-b13c-2d175615214d} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 2060 1a8c9858 tab
        8⤵
        
        PID:2804
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.3.189976501\238026433" -childID 2 -isForBrowser -prefsHandle 2668 -prefMapHandle 2664 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f87a50-30f4-4415-b1ba-8ada08c5229b} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 2684 1cdd6a58 tab
        8⤵
        
        PID:2500
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.4.1997855887\218577045" -childID 3 -isForBrowser -prefsHandle 3860 -prefMapHandle 3856 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec51221e-841a-413e-a316-31e1eda47255} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 3872 21046658 tab
        8⤵
        
        PID:1524
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.5.616240006\1786707791" -childID 4 -isForBrowser -prefsHandle 3980 -prefMapHandle 3984 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8ca2ffc-1766-425e-a501-671b3d79823a} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 3972 21044e58 tab
        8⤵
        
        PID:844
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2252.6.647824377\1093253642" -childID 5 -isForBrowser -prefsHandle 4148 -prefMapHandle 4152 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 592 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a293168c-ed33-425e-9180-a5aeb6bbf0bf} 2252 "\\.\pipe\gecko-crash-server-pipe.2252" 4140 21c10b58 tab
        8⤵
        
        PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\1012205001\a9b084a59d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1012205001\a9b084a59d.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion