amadey | b4ed53947a407459822c5d352bb5300a5885b9dec2b6c319c48f54b57a02e2eb

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	13ab03bedb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	13ab03bedb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	13ab03bedb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	13ab03bedb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	13ab03bedb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	13ab03bedb.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2c6f4c3875.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c242e56780.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	13ab03bedb.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3968	powershell.exe
3572	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Eazy.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2c6f4c3875.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13ab03bedb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13ab03bedb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c242e56780.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c242e56780.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2c6f4c3875.exe

Executes dropped EXE 8 IoCs

pid	Process
2752	skotes.exe
2504	DLER214.exe
1660	2c6f4c3875.exe
2008	c242e56780.exe
2392	52d7c74f74.exe
1072	13ab03bedb.exe
3608	Eazy.exe
3492	updater.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	2c6f4c3875.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	c242e56780.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	13ab03bedb.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 17 IoCs

pid	Process
1984	file.exe
2752	skotes.exe
1256	WerFault.exe
1256	WerFault.exe
1256	WerFault.exe
1256	WerFault.exe
1256	WerFault.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
2752	skotes.exe
480	services.exe
480	services.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	13ab03bedb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	13ab03bedb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\52d7c74f74.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004068001\\52d7c74f74.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\13ab03bedb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004069001\\13ab03bedb.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c6f4c3875.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004066001\\2c6f4c3875.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\c242e56780.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004067001\\c242e56780.exe"	skotes.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3212	powercfg.exe
3200	powercfg.exe
3192	powercfg.exe
4052	powercfg.exe
2392	powercfg.exe
3180	powercfg.exe
1672	powercfg.exe
3220	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019518-95.dat	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Eazy.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\wbem\Logs\wmiprov.log	wmiprvse.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1984	file.exe
2752	skotes.exe
1660	2c6f4c3875.exe
2008	c242e56780.exe
1072	13ab03bedb.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3608 set thread context of 288	3608	Eazy.exe	83
PID 3492 set thread context of 3160	3492	updater.exe	115
PID 3492 set thread context of 3240	3492	updater.exe	116
PID 3492 set thread context of 3992	3492	updater.exe	118

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Tasks\skotes.job	file.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4092	sc.exe
1828	sc.exe
3336	sc.exe
4032	sc.exe
4076	sc.exe
4056	sc.exe
3288	sc.exe
3424	sc.exe
3344	sc.exe
3780	sc.exe
468	sc.exe
836	sc.exe
2788	sc.exe
3184	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1256	2504	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c6f4c3875.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52d7c74f74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DLER214.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c242e56780.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13ab03bedb.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Kills process with taskkill 5 IoCs

pid	Process
1832	taskkill.exe
584	taskkill.exe
288	taskkill.exe
1592	taskkill.exe
1284	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f87c8249672fdb01	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	file.exe
2752	skotes.exe
1660	2c6f4c3875.exe
2008	c242e56780.exe
2392	52d7c74f74.exe
1072	13ab03bedb.exe
1072	13ab03bedb.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
1072	13ab03bedb.exe
1072	13ab03bedb.exe
3608	Eazy.exe
3968	powershell.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
3608	Eazy.exe
288	dialer.exe
288	dialer.exe
288	dialer.exe
288	dialer.exe
288	dialer.exe
288	dialer.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
288	dialer.exe
288	dialer.exe
288	dialer.exe
856	svchost.exe
3608	Eazy.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe
288	dialer.exe
288	dialer.exe
288	dialer.exe
856	svchost.exe
856	svchost.exe
856	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	DLER214.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	1648	firefox.exe
Token: SeDebugPrivilege	1648	firefox.exe
Token: SeDebugPrivilege	1072	13ab03bedb.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	3192	powercfg.exe
Token: SeShutdownPrivilege	3220	powercfg.exe
Token: SeShutdownPrivilege	3212	powercfg.exe
Token: SeShutdownPrivilege	3200	powercfg.exe
Token: SeDebugPrivilege	288	dialer.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeShutdownPrivilege	1672	powercfg.exe
Token: SeShutdownPrivilege	3180	powercfg.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeDebugPrivilege	3160	dialer.exe
Token: SeShutdownPrivilege	2392	powercfg.exe
Token: SeLockMemoryPrivilege	3992	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1984	file.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
1648	firefox.exe
1648	firefox.exe
1648	firefox.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe
2392	52d7c74f74.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2752	1984	file.exe	30
PID 1984 wrote to memory of 2752	1984	file.exe	30
PID 1984 wrote to memory of 2752	1984	file.exe	30
PID 1984 wrote to memory of 2752	1984	file.exe	30
PID 2752 wrote to memory of 2504	2752	skotes.exe	32
PID 2752 wrote to memory of 2504	2752	skotes.exe	32
PID 2752 wrote to memory of 2504	2752	skotes.exe	32
PID 2752 wrote to memory of 2504	2752	skotes.exe	32
PID 2504 wrote to memory of 1256	2504	DLER214.exe	33
PID 2504 wrote to memory of 1256	2504	DLER214.exe	33
PID 2504 wrote to memory of 1256	2504	DLER214.exe	33
PID 2504 wrote to memory of 1256	2504	DLER214.exe	33
PID 2752 wrote to memory of 1660	2752	skotes.exe	35
PID 2752 wrote to memory of 1660	2752	skotes.exe	35
PID 2752 wrote to memory of 1660	2752	skotes.exe	35
PID 2752 wrote to memory of 1660	2752	skotes.exe	35
PID 2752 wrote to memory of 2008	2752	skotes.exe	37
PID 2752 wrote to memory of 2008	2752	skotes.exe	37
PID 2752 wrote to memory of 2008	2752	skotes.exe	37
PID 2752 wrote to memory of 2008	2752	skotes.exe	37
PID 2752 wrote to memory of 2392	2752	skotes.exe	38
PID 2752 wrote to memory of 2392	2752	skotes.exe	38
PID 2752 wrote to memory of 2392	2752	skotes.exe	38
PID 2752 wrote to memory of 2392	2752	skotes.exe	38
PID 2392 wrote to memory of 1832	2392	52d7c74f74.exe	39
PID 2392 wrote to memory of 1832	2392	52d7c74f74.exe	39
PID 2392 wrote to memory of 1832	2392	52d7c74f74.exe	39
PID 2392 wrote to memory of 1832	2392	52d7c74f74.exe	39
PID 2392 wrote to memory of 584	2392	52d7c74f74.exe	41
PID 2392 wrote to memory of 584	2392	52d7c74f74.exe	41
PID 2392 wrote to memory of 584	2392	52d7c74f74.exe	41
PID 2392 wrote to memory of 584	2392	52d7c74f74.exe	41
PID 2392 wrote to memory of 288	2392	52d7c74f74.exe	43
PID 2392 wrote to memory of 288	2392	52d7c74f74.exe	43
PID 2392 wrote to memory of 288	2392	52d7c74f74.exe	43
PID 2392 wrote to memory of 288	2392	52d7c74f74.exe	43
PID 2392 wrote to memory of 1592	2392	52d7c74f74.exe	45
PID 2392 wrote to memory of 1592	2392	52d7c74f74.exe	45
PID 2392 wrote to memory of 1592	2392	52d7c74f74.exe	45
PID 2392 wrote to memory of 1592	2392	52d7c74f74.exe	45
PID 2392 wrote to memory of 1284	2392	52d7c74f74.exe	47
PID 2392 wrote to memory of 1284	2392	52d7c74f74.exe	47
PID 2392 wrote to memory of 1284	2392	52d7c74f74.exe	47
PID 2392 wrote to memory of 1284	2392	52d7c74f74.exe	47
PID 2392 wrote to memory of 2256	2392	52d7c74f74.exe	49
PID 2392 wrote to memory of 2256	2392	52d7c74f74.exe	49
PID 2392 wrote to memory of 2256	2392	52d7c74f74.exe	49
PID 2392 wrote to memory of 2256	2392	52d7c74f74.exe	49
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 2256 wrote to memory of 1648	2256	firefox.exe	50
PID 1648 wrote to memory of 2136	1648	firefox.exe	51
PID 1648 wrote to memory of 2136	1648	firefox.exe	51
PID 1648 wrote to memory of 2136	1648	firefox.exe	51
PID 1648 wrote to memory of 540	1648	firefox.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:852
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    - Drops file in System32 directory
    PID:664
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:1732
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:976
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:292
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:920
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1080
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1620
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2496
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2468
- C:\ProgramData\Google\Chrome\updater.exe
  C:\ProgramData\Google\Chrome\updater.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  PID:3492
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3472
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:3732
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:468
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4032
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4076
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:836
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:3240
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3992

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe
      "C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1076
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1256
  - - C:\Users\Admin\AppData\Local\Temp\1004066001\2c6f4c3875.exe
      "C:\Users\Admin\AppData\Local\Temp\1004066001\2c6f4c3875.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\1004067001\c242e56780.exe
      "C:\Users\Admin\AppData\Local\Temp\1004067001\c242e56780.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\1004068001\52d7c74f74.exe
      "C:\Users\Admin\AppData\Local\Temp\1004068001\52d7c74f74.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.0.957681059\854898748" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {841c4103-cdab-49a2-87c2-6099d7ecdcb3} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 1320 45d7358 gpu
        7⤵
        
        PID:2136
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.1.696204530\1080207377" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {172d3073-98e4-41c6-81be-0c3b228e16d1} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 1552 e74258 socket
        7⤵
        
        PID:540
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.2.1510324014\1008606859" -childID 1 -isForBrowser -prefsHandle 2036 -prefMapHandle 2032 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c936e32-9843-44a6-b707-267d2a660ba0} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 2052 191a1e58 tab
        7⤵
        
        PID:1840
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.3.2080155281\317463922" -childID 2 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31ba71dc-a281-4c7f-84ba-f5c4cdb4ce59} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 2940 1add8d58 tab
        7⤵
        
        PID:1588
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.4.1146451591\404925285" -childID 3 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41f0047d-57c0-4def-be27-72d6267af2f3} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 3688 1fd5de58 tab
        7⤵
        
        PID:1116
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.5.1934770003\1527705771" -childID 4 -isForBrowser -prefsHandle 3796 -prefMapHandle 3800 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab2d054c-690d-492b-bef9-173cfa18c4ef} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 3776 1fd5fc58 tab
        7⤵
        
        PID:352
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1648.6.666031966\1251595930" -childID 5 -isForBrowser -prefsHandle 4000 -prefMapHandle 4004 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 676 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6e6531b-59e1-4b87-9c37-be3d5ac33010} 1648 "\\.\pipe\gecko-crash-server-pipe.1648" 3880 20693558 tab
        7⤵
        
        PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\1004069001\13ab03bedb.exe
      "C:\Users\Admin\AppData\Local\Temp\1004069001\13ab03bedb.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Windows security modification
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\1004070001\Eazy.exe
      "C:\Users\Admin\AppData\Local\Temp\1004070001\Eazy.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:3608
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4048
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:916
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4056
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:4092
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2788
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1828
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:3184
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:3288
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:3424
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:3336
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:3344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "830299541-2027965808-84546803460067490-120818215-58313555710692944031599424221"
1⤵
PID:3236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9664291581430739489-720067438-539370189-103826379215724135161820090875-272539259"
1⤵
PID:3232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11884886832641714131930762218-1523309097777847694-672248771-98693372-638317345"
1⤵
PID:3244

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3277520618705757401215014590-710941496-1321001326955780762841548630-1597012328"
1⤵
PID:3196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1079772803-2000979247741416804-2004880251299727908-1775894104825945369-1363876243"
1⤵
PID:3300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1059023415796646076-1558988655-119409584112616716952040760956-569128615-1758458834"
1⤵
PID:3544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1085649219-473104087-1839578689212718916418718702901478814052-1753081204-123663566"
1⤵
PID:2696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2039338386-1245886747-1290278951-1778169238172087388532552051918158600312107889992"
1⤵
PID:3580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "695881011494646591110168774-14909996769882256601937904225-1622507632-1403283935"
1⤵
PID:3788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16168222451181402716-4569283114311236101916249988-12632521921705925290-1687744596"
1⤵
PID:3068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6176225301301503219-2518213461274763180773450195-195228219110786371741280288863"
1⤵
PID:916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "190599288-438211636816993259-1947712569665375057-7415324795571724812051513684"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "22037465263926182-4024454991177731743-106059407-1532486486530841418704776636"
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion