cryptbot | ec88dbbcd5cc0671007964874b399d01f078cdcb0e6bbd3c7ffd1c674d351831

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Setup_KMS_Pico_Full_File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	KMS_Pico.exe

Executes dropped EXE 9 IoCs

pid	Process
1880	KMS_Pico.exe
1520	KMS_pico.exe
4724	KMS_pico.tmp
728	srvtst.exe
4944	UninsHs.exe
4796	KMSELDI.exe
4952	SECOH-QAD.exe
1932	AutoPico.exe
2760	KMSELDI.exe

Loads dropped DLL 1 IoCs

pid	Process
4072	SppExtComObj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231f8-1056.dat	upx
behavioral2/files/0x00060000000231f8-1055.dat	upx
behavioral2/files/0x00060000000231f8-1057.dat	upx
behavioral2/memory/4944-1058-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	KMS_Pico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	KMS_Pico.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\is-6HHFJ.tmp	KMS_pico.tmp
File created	C:\Windows\system32\is-638OL.tmp	KMS_pico.tmp
File opened for modification	C:\Windows\system32\Vestris.ResourceLib.dll	KMS_pico.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\KMSpico\cert\kmscertW8\CoreSingleLanguage\is-37VM8.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-PO5E6.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-K2KM7.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-KD66G.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-86KD6.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\is-IO955.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Outlook\is-15NOG.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\sounds\is-2PTAQ.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-TGAJV.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-1AKH2.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\SkypeforBusiness\is-RDOCN.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-T7J0J.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-CNVJ7.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\OneNote\is-AQHNQ.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-KA4NN.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-EL7AB.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-H50CV.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Enterprise\is-M7CJF.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\PowerPoint\is-408RM.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-EJ017.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-O2G2P.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Outlook\is-QCS7E.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW7\Professional\is-LTVFV.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\is-BTSU5.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\scripts\is-4LF7R.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Outlook\is-7VOJ1.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProPlus\is-2HC0G.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-P7B40.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-6T6SF.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\Enterprise\is-NE45V.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-F9VUB.tmp	KMS_pico.tmp
File opened for modification	C:\Program Files\KMSpico\logs\KMSELDI.log	KMSELDI.exe
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-6C45K.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\is-LGTG4.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\Publisher\is-DLD1P.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW10\EnterpriseS\is-98LCP.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\is-2CUP9.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\InfoPath\is-A4R58.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-HMM3D.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectPro\is-VJM1J.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-Q79M2.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\Business\is-8OVFH.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\TokensBackup\Windows\pkeyconfig.xrm-ms	KMSELDI.exe
File created	C:\Program Files\KMSpico\cert\kmscert2013\VisioPro\is-BI5I2.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-Q6OCG.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\scripts\is-F9MFR.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\scripts\is-MQNER.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-Q1QJU.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-BRQ0V.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Word\is-27I76.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\ProPlus\is-SMM1S.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW81\Professional\is-AEPOB.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Groove\is-9UH3I.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Excel\is-2L8QG.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\is-A98VK.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW8\Professional\is-AHIT4.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\VisioStd\is-US1I8.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscertW6\BusinessN\is-FCHLP.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\ProjectStd\is-VHN39.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-3D3OQ.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2013\Lync\is-UH1SP.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2016\is-3M2KI.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\SmallBusBasics\is-HKS31.tmp	KMS_pico.tmp
File created	C:\Program Files\KMSpico\cert\kmscert2010\Visio\is-UA2DR.tmp	KMS_pico.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SECOH-QAD.dll	KMSELDI.exe
File created	C:\Windows\SECOH-QAD.exe	KMSELDI.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4184	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	KMS_Pico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	KMS_Pico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	KMS_Pico.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3436	schtasks.exe
4980	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4732	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	AutoPico.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\PaintDesktopVersion = "0"	KMSELDI.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	KMS_pico.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	KMS_pico.tmp

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress = "10.124.201.136"	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.124.201.136"	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion	SppExtComObj.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	AutoPico.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\d450596f-894d-49e0-966a-fd39ed4c4c64\DiscoveredKeyManagementServiceIpAddress	KMSELDI.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1880	KMS_Pico.exe
1880	KMS_Pico.exe
4724	KMS_pico.tmp
4724	KMS_pico.tmp
4952	SECOH-QAD.exe
4952	SECOH-QAD.exe
4952	SECOH-QAD.exe
4952	SECOH-QAD.exe
4952	SECOH-QAD.exe
4952	SECOH-QAD.exe
4796	KMSELDI.exe
4796	KMSELDI.exe
1932	AutoPico.exe
2760	KMSELDI.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	KMSELDI.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	KMS_Pico.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeSystemtimePrivilege	4796	KMSELDI.exe
Token: SeDebugPrivilege	4796	KMSELDI.exe
Token: SeSystemtimePrivilege	1932	AutoPico.exe
Token: SeDebugPrivilege	1932	AutoPico.exe
Token: SeSystemtimePrivilege	2760	KMSELDI.exe
Token: 33	4760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4760	AUDIODG.EXE
Token: SeDebugPrivilege	2760	KMSELDI.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1880	KMS_Pico.exe
4724	KMS_pico.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1880	KMS_Pico.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1880	2096	Setup_KMS_Pico_Full_File.exe	100
PID 2096 wrote to memory of 1880	2096	Setup_KMS_Pico_Full_File.exe	100
PID 2096 wrote to memory of 1880	2096	Setup_KMS_Pico_Full_File.exe	100
PID 1880 wrote to memory of 1756	1880	KMS_Pico.exe	102
PID 1880 wrote to memory of 1756	1880	KMS_Pico.exe	102
PID 1880 wrote to memory of 1756	1880	KMS_Pico.exe	102
PID 1880 wrote to memory of 2780	1880	KMS_Pico.exe	104
PID 1880 wrote to memory of 2780	1880	KMS_Pico.exe	104
PID 1880 wrote to memory of 2780	1880	KMS_Pico.exe	104
PID 1756 wrote to memory of 3436	1756	cmd.exe	106
PID 1756 wrote to memory of 3436	1756	cmd.exe	106
PID 1756 wrote to memory of 3436	1756	cmd.exe	106
PID 2780 wrote to memory of 1520	2780	cmd.exe	107
PID 2780 wrote to memory of 1520	2780	cmd.exe	107
PID 2780 wrote to memory of 1520	2780	cmd.exe	107
PID 1520 wrote to memory of 4724	1520	KMS_pico.exe	109
PID 1520 wrote to memory of 4724	1520	KMS_pico.exe	109
PID 1520 wrote to memory of 4724	1520	KMS_pico.exe	109
PID 2908 wrote to memory of 3240	2908	chrome.exe	110
PID 2908 wrote to memory of 3240	2908	chrome.exe	110
PID 1880 wrote to memory of 2616	1880	KMS_Pico.exe	113
PID 1880 wrote to memory of 2616	1880	KMS_Pico.exe	113
PID 1880 wrote to memory of 2616	1880	KMS_Pico.exe	113
PID 2616 wrote to memory of 4732	2616	cmd.exe	115
PID 2616 wrote to memory of 4732	2616	cmd.exe	115
PID 2616 wrote to memory of 4732	2616	cmd.exe	115
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116
PID 2908 wrote to memory of 2488	2908	chrome.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup_KMS_Pico_Full_File.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_KMS_Pico_Full_File.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMS_Pico.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMS_Pico.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    /C schtasks /tn \Diagnostic\liqngsrini /create /tr """"C:\Users\Admin\AppData\Roaming\vxjugsxwsa\srvtst.exe""" """C:\Users\Admin\AppData\Roaming\vxjugsxwsa\srvtst.txt"""" /st 00:03 /f /sc once /du 9900:20 /ri 1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /tn \Diagnostic\liqngsrini /create /tr """"C:\Users\Admin\AppData\Roaming\vxjugsxwsa\srvtst.exe""" """C:\Users\Admin\AppData\Roaming\vxjugsxwsa\srvtst.txt"""" /st 00:03 /f /sc once /du 9900:20 /ri 1
      4⤵
      Creates scheduled task(s)
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Roaming\vxjugsxwsa\KMS_pico.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Roaming\vxjugsxwsa\KMS_pico.exe
      C:\Users\Admin\AppData\Roaming\vxjugsxwsa\KMS_pico.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\is-45TAI.tmp\KMS_pico.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-45TAI.tmp\KMS_pico.tmp" /SL5="$201D0,2952592,69120,C:\Users\Admin\AppData\Roaming\vxjugsxwsa\KMS_pico.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies Internet Explorer Phishing Filter
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4724
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Service.cmd""
        6⤵
        
        PID:4512
        
        C:\Windows\system32\sc.exe
        
        sc create "Service KMSELDI" binPath= "C:\Program Files\KMSpico\Service_KMS.exe" type= own error= normal start= auto DisplayName= "Service KMSELDI"
        7⤵
        Launches sc.exe
        
        PID:4184
      - C:\Program Files\KMSpico\UninsHs.exe
        
        "C:\Program Files\KMSpico\UninsHs.exe" /r0=KMSpico,default,C:\Users\Admin\AppData\Roaming\vxjugsxwsa\KMS_pico.exe
        6⤵
        Executes dropped EXE
        
        PID:4944
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\KMSpico\scripts\Install_Task.cmd""
        6⤵
        
        PID:4172
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Create /TN "AutoPico Daily Restart" /TR "'C:\Program Files\KMSpico\AutoPico.exe' /silent" /SC DAILY /ST 23:59:59 /RU "NT AUTHORITY\SYSTEM" /RL Highest /F
        7⤵
        Creates scheduled task(s)
        
        PID:4980
      - C:\Program Files\KMSpico\KMSELDI.exe
        
        "C:\Program Files\KMSpico\KMSELDI.exe" /silent /backup
        6⤵
        Sets file execution options in registry
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies Control Panel
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
      - C:\Program Files\KMSpico\AutoPico.exe
        
        "C:\Program Files\KMSpico\AutoPico.exe" /silent
        6⤵
        Sets file execution options in registry
        Executes dropped EXE
        Modifies Control Panel
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMS_Pico.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\timeout.exe
      timeout -t 5
      4⤵
      Delays execution with timeout.exe
      PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="Default"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6bde9758,0x7ffc6bde9768,0x7ffc6bde9778
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1872,i,9655815677309704126,11922031967097521986,131072 /prefetch:2
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=2156 --field-trial-handle=1872,i,9655815677309704126,11922031967097521986,131072 /prefetch:8
  2⤵
  PID:4180

C:\Users\Admin\AppData\Roaming\vxjugsxwsa\srvtst.exe
C:\Users\Admin\AppData\Roaming\vxjugsxwsa\srvtst.exe "C:\Users\Admin\AppData\Roaming\vxjugsxwsa\srvtst.txt"
1⤵
- Executes dropped EXE
PID:728

C:\Windows\SECOH-QAD.exe
C:\Windows\SECOH-QAD.exe C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4952
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:4072
- - C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    3⤵
    PID:3116
- - C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
    3⤵
    PID:4640

C:\Program Files\KMSpico\KMSELDI.exe
"C:\Program Files\KMSpico\KMSELDI.exe"
1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery