amadey | 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

98c97c48c7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	98c97c48c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	98c97c48c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	98c97c48c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	98c97c48c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	98c97c48c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	98c97c48c7.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

57fa9eee06.exe5790288a4f.exe444e7a1a08.exe98c97c48c7.exe97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exeskotes.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	57fa9eee06.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5790288a4f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	444e7a1a08.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98c97c48c7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file
Uses browser remote debugging 2 TTPs 3 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
credential_access stealer

Steal Web Session Cookie
T1539

Modify Authentication Process
T1556

Processes:

chrome.exechrome.exechrome.exe

pid process

2740 chrome.exe
836 chrome.exe
3364 chrome.exe

pid	process
2740	chrome.exe
836	chrome.exe
3364	chrome.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

57fa9eee06.exe5790288a4f.exe444e7a1a08.exe98c97c48c7.exe97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exeskotes.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	57fa9eee06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5790288a4f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	444e7a1a08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	444e7a1a08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98c97c48c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98c97c48c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	57fa9eee06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5790288a4f.exe

Executes dropped EXE 6 IoCs

Processes:

skotes.exe57fa9eee06.exe5790288a4f.exe444e7a1a08.exe9403857815.exe98c97c48c7.exe

pid process

2952 skotes.exe
2260 57fa9eee06.exe
2088 5790288a4f.exe
2472 444e7a1a08.exe
1712 9403857815.exe
2424 98c97c48c7.exe

pid	process
2952	skotes.exe
2260	57fa9eee06.exe
2088	5790288a4f.exe
2472	444e7a1a08.exe
1712	9403857815.exe
2424	98c97c48c7.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

57fa9eee06.exe5790288a4f.exe444e7a1a08.exe98c97c48c7.exe97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exeskotes.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	57fa9eee06.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	5790288a4f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	444e7a1a08.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	98c97c48c7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	skotes.exe

Loads dropped DLL 8 IoCs

Processes:

97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exeskotes.exe

pid	process
1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe
2952	skotes.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

98c97c48c7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	98c97c48c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	98c97c48c7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

skotes.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\5790288a4f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006791001\\5790288a4f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\444e7a1a08.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006792001\\444e7a1a08.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\9403857815.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006793001\\9403857815.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\98c97c48c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006794001\\98c97c48c7.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1006793001\9403857815.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exeskotes.exe57fa9eee06.exe5790288a4f.exe444e7a1a08.exe98c97c48c7.exe

pid	process
1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
2952	skotes.exe
2260	57fa9eee06.exe
2088	5790288a4f.exe
2472	444e7a1a08.exe
2424	98c97c48c7.exe

Drops file in Windows directory 1 IoCs

Processes:

97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe

description ioc process

File created C:\Windows\Tasks\skotes.job 97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\skotes.job	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

skotes.exe5790288a4f.exetaskkill.exetaskkill.exetaskkill.exe97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe57fa9eee06.exe444e7a1a08.exe9403857815.exetaskkill.exe98c97c48c7.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5790288a4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57fa9eee06.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	444e7a1a08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9403857815.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98c97c48c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exe57fa9eee06.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	57fa9eee06.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	57fa9eee06.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1232 taskkill.exe
2040 taskkill.exe
2164 taskkill.exe
1192 taskkill.exe
2988 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings firefox.exe

pid	process
1232	taskkill.exe
2040	taskkill.exe
2164	taskkill.exe
1192	taskkill.exe
2988	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

5790288a4f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	5790288a4f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5790288a4f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5790288a4f.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exeskotes.exe57fa9eee06.exe5790288a4f.exe444e7a1a08.exe9403857815.exe98c97c48c7.exechrome.exe

pid	process
1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
2952	skotes.exe
2260	57fa9eee06.exe
2088	5790288a4f.exe
2472	444e7a1a08.exe
1712	9403857815.exe
2424	98c97c48c7.exe
2424	98c97c48c7.exe
2424	98c97c48c7.exe
1712	9403857815.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe98c97c48c7.exefirefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2424	98c97c48c7.exe
Token: SeDebugPrivilege	452	firefox.exe
Token: SeDebugPrivilege	452	firefox.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe9403857815.exefirefox.exechrome.exe

pid	process
1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
452	firefox.exe
452	firefox.exe
452	firefox.exe
452	firefox.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

9403857815.exefirefox.exe

pid	process
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
1712	9403857815.exe
452	firefox.exe
452	firefox.exe
452	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exeskotes.exe9403857815.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1736 wrote to memory of 2952	1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe	skotes.exe
PID 1736 wrote to memory of 2952	1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe	skotes.exe
PID 1736 wrote to memory of 2952	1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe	skotes.exe
PID 1736 wrote to memory of 2952	1736	97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe	skotes.exe
PID 2952 wrote to memory of 2260	2952	skotes.exe	57fa9eee06.exe
PID 2952 wrote to memory of 2260	2952	skotes.exe	57fa9eee06.exe
PID 2952 wrote to memory of 2260	2952	skotes.exe	57fa9eee06.exe
PID 2952 wrote to memory of 2260	2952	skotes.exe	57fa9eee06.exe
PID 2952 wrote to memory of 2088	2952	skotes.exe	5790288a4f.exe
PID 2952 wrote to memory of 2088	2952	skotes.exe	5790288a4f.exe
PID 2952 wrote to memory of 2088	2952	skotes.exe	5790288a4f.exe
PID 2952 wrote to memory of 2088	2952	skotes.exe	5790288a4f.exe
PID 2952 wrote to memory of 2472	2952	skotes.exe	444e7a1a08.exe
PID 2952 wrote to memory of 2472	2952	skotes.exe	444e7a1a08.exe
PID 2952 wrote to memory of 2472	2952	skotes.exe	444e7a1a08.exe
PID 2952 wrote to memory of 2472	2952	skotes.exe	444e7a1a08.exe
PID 2952 wrote to memory of 1712	2952	skotes.exe	9403857815.exe
PID 2952 wrote to memory of 1712	2952	skotes.exe	9403857815.exe
PID 2952 wrote to memory of 1712	2952	skotes.exe	9403857815.exe
PID 2952 wrote to memory of 1712	2952	skotes.exe	9403857815.exe
PID 1712 wrote to memory of 1232	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 1232	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 1232	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 1232	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2040	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2040	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2040	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2040	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2164	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2164	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2164	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2164	1712	9403857815.exe	taskkill.exe
PID 2952 wrote to memory of 2424	2952	skotes.exe	98c97c48c7.exe
PID 2952 wrote to memory of 2424	2952	skotes.exe	98c97c48c7.exe
PID 2952 wrote to memory of 2424	2952	skotes.exe	98c97c48c7.exe
PID 2952 wrote to memory of 2424	2952	skotes.exe	98c97c48c7.exe
PID 1712 wrote to memory of 1192	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 1192	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 1192	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 1192	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2988	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2988	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2988	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2988	1712	9403857815.exe	taskkill.exe
PID 1712 wrote to memory of 2908	1712	9403857815.exe	firefox.exe
PID 1712 wrote to memory of 2908	1712	9403857815.exe	firefox.exe
PID 1712 wrote to memory of 2908	1712	9403857815.exe	firefox.exe
PID 1712 wrote to memory of 2908	1712	9403857815.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 2908 wrote to memory of 452	2908	firefox.exe	firefox.exe
PID 452 wrote to memory of 1876	452	firefox.exe	firefox.exe
PID 452 wrote to memory of 1876	452	firefox.exe	firefox.exe
PID 452 wrote to memory of 1876	452	firefox.exe	firefox.exe
PID 452 wrote to memory of 912	452	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe
"C:\Users\Admin\AppData\Local\Temp\97c84e4a64dc3963b1449a554864034af641fcb3fd781e668bed8a4290499fd2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\1006666001\57fa9eee06.exe
    "C:\Users\Admin\AppData\Local\Temp\1006666001\57fa9eee06.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2260
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2740
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5a09758,0x7fef5a09768,0x7fef5a09778
        5⤵
        
        PID:3192
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:3068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1240,i,12498995755823859819,499066810326426050,131072 /prefetch:2
        5⤵
        
        PID:2380
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1240,i,12498995755823859819,499066810326426050,131072 /prefetch:8
        5⤵
        
        PID:1516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1240,i,12498995755823859819,499066810326426050,131072 /prefetch:8
        5⤵
        
        PID:3276
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2352 --field-trial-handle=1240,i,12498995755823859819,499066810326426050,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:836
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1240,i,12498995755823859819,499066810326426050,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1584 --field-trial-handle=1240,i,12498995755823859819,499066810326426050,131072 /prefetch:2
        5⤵
        
        PID:1664
- - C:\Users\Admin\AppData\Local\Temp\1006791001\5790288a4f.exe
    "C:\Users\Admin\AppData\Local\Temp\1006791001\5790288a4f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\1006792001\444e7a1a08.exe
    "C:\Users\Admin\AppData\Local\Temp\1006792001\444e7a1a08.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2472
- - C:\Users\Admin\AppData\Local\Temp\1006793001\9403857815.exe
    "C:\Users\Admin\AppData\Local\Temp\1006793001\9403857815.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2164
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1192
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2988
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="452.0.2030581430\1982660490" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fd5dac6-e2f5-41db-b166-15ef863a6ab7} 452 "\\.\pipe\gecko-crash-server-pipe.452" 1312 121d5e58 gpu
        6⤵
        
        PID:1876
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="452.1.220699300\1463136772" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8d12d6c-f595-46b3-9230-6f73c10d0b2f} 452 "\\.\pipe\gecko-crash-server-pipe.452" 1528 12105f58 socket
        6⤵
        
        PID:912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="452.2.831121005\1193619194" -childID 1 -isForBrowser -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b0b4ffa-6ec2-4ad3-96ce-4c309daf5abb} 452 "\\.\pipe\gecko-crash-server-pipe.452" 2240 1a1e3558 tab
        6⤵
        
        PID:1768
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="452.3.1017820323\1110751641" -childID 2 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {606377fe-0550-483e-9ba1-397f1ccfcb42} 452 "\\.\pipe\gecko-crash-server-pipe.452" 2968 1b4c5758 tab
        6⤵
        
        PID:2656
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="452.4.391646522\894909420" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 3836 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e73f770-ca72-4b91-b778-c1c84cc6c0c0} 452 "\\.\pipe\gecko-crash-server-pipe.452" 3860 1f38d458 tab
        6⤵
        
        PID:1548
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="452.5.1647734437\1781255215" -childID 4 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da737ea8-9731-45cc-9454-0b32917675b8} 452 "\\.\pipe\gecko-crash-server-pipe.452" 3936 1f38fb58 tab
        6⤵
        
        PID:1652
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="452.6.57876909\475532949" -childID 5 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b94ba3e-d0b2-4143-92b4-c167b5e48cb4} 452 "\\.\pipe\gecko-crash-server-pipe.452" 4104 1ff9cb58 tab
        6⤵
        
        PID:980
- - C:\Users\Admin\AppData\Local\Temp\1006794001\98c97c48c7.exe
    "C:\Users\Admin\AppData\Local\Temp\1006794001\98c97c48c7.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2424

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

T1556

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion