amadey | 74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0db7ba8c1c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	0db7ba8c1c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0db7ba8c1c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0db7ba8c1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0db7ba8c1c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4b394g.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/3644-1434-0x000000000AFE0000-0x000000000B100000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/1080-196-0x0000000000F10000-0x0000000001372000-memory.dmp	VenomRAT
behavioral1/memory/1080-195-0x0000000000F10000-0x0000000001372000-memory.dmp	VenomRAT

Venomrat family
venomrat
Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1080-196-0x0000000000F10000-0x0000000001372000-memory.dmp	family_asyncrat
behavioral1/memory/1080-195-0x0000000000F10000-0x0000000001372000-memory.dmp	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3y47J.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4b394g.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e1c8ef5647.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ce24de6ebe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0db7ba8c1c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1J17p1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9feskIx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2J9156.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1337b32aff.exe

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/memory/5024-279-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-280-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-281-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-282-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-283-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-284-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-285-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-287-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-289-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/5024-300-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6716	powershell.exe
6612	powershell.exe
5356	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	tpwnww.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks BIOS information in registry 2 TTPs 28 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1337b32aff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3y47J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e1c8ef5647.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0db7ba8c1c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1J17p1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1J17p1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1337b32aff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b394g.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b394g.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0db7ba8c1c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3y47J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2J9156.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e1c8ef5647.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ce24de6ebe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2J9156.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ce24de6ebe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	1J17p1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	C1J7SVw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	3EUEYgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	9feskIx.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6752	powershell.exe
2728	cmd.exe

Executes dropped EXE 35 IoCs

pid	Process
4828	U0w71.exe
4804	W5n58.exe
2728	1J17p1.exe
1096	skotes.exe
32	2J9156.exe
1856	3y47J.exe
3140	4b394g.exe
5064	C1J7SVw.exe
3196	7z.exe
3360	7z.exe
4680	7z.exe
5100	7z.exe
1508	7z.exe
1756	7z.exe
2152	7z.exe
3316	7z.exe
3824	in.exe
3368	Z9Pp9pM.exe
1080	H3tyh96.exe
4236	yiklfON.exe
2128	3EUEYgl.exe
3644	9feskIx.exe
2216	skotes.exe
4468	Intel_PTT_EK_Recertification.exe
4048	e1c8ef5647.exe
1412	fa0db471c4.exe
3456	1337b32aff.exe
2696	ce24de6ebe.exe
3008	ba75602f28.exe
3672	0db7ba8c1c.exe
2396	tpwnww.exe
3316	tpwnww.exe
5700	skotes.exe
2740	Intel_PTT_EK_Recertification.exe
6460	rar.exe

Identifies Wine through registry keys 2 TTPs 14 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	9feskIx.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	e1c8ef5647.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	1337b32aff.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	3y47J.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	H3tyh96.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	3EUEYgl.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	ce24de6ebe.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	1J17p1.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	2J9156.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	4b394g.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine	0db7ba8c1c.exe

Loads dropped DLL 24 IoCs

pid	Process
3196	7z.exe
3360	7z.exe
4680	7z.exe
5100	7z.exe
1508	7z.exe
1756	7z.exe
2152	7z.exe
3316	7z.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe
3316	tpwnww.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4b394g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0db7ba8c1c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0db7ba8c1c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013856001\\0db7ba8c1c.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	U0w71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	W5n58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1337b32aff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013853001\\1337b32aff.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ce24de6ebe.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013854001\\ce24de6ebe.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba75602f28.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013855001\\ba75602f28.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
281	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023ce9-413.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
7076	tasklist.exe
4300	tasklist.exe
6592	tasklist.exe
6656	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
2728	1J17p1.exe
1096	skotes.exe
32	2J9156.exe
1856	3y47J.exe
3140	4b394g.exe
1080	H3tyh96.exe
2128	3EUEYgl.exe
3644	9feskIx.exe
2216	skotes.exe
4048	e1c8ef5647.exe
3456	1337b32aff.exe
2696	ce24de6ebe.exe
3672	0db7ba8c1c.exe
5700	skotes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4468 set thread context of 5024	4468	Intel_PTT_EK_Recertification.exe	133
PID 2740 set thread context of 5472	2740	Intel_PTT_EK_Recertification.exe	279

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cc0-131.dat	upx
behavioral1/memory/3824-136-0x00007FF67C910000-0x00007FF67CDA0000-memory.dmp	upx
behavioral1/memory/3824-134-0x00007FF67C910000-0x00007FF67CDA0000-memory.dmp	upx
behavioral1/memory/4468-277-0x00007FF6732E0000-0x00007FF673770000-memory.dmp	upx
behavioral1/memory/4468-290-0x00007FF6732E0000-0x00007FF673770000-memory.dmp	upx
behavioral1/memory/3316-1382-0x00007FFFA9370000-0x00007FFFA9A32000-memory.dmp	upx
behavioral1/memory/3316-1386-0x00007FFFC08E0000-0x00007FFFC08EF000-memory.dmp	upx
behavioral1/memory/3316-1385-0x00007FFFBBB50000-0x00007FFFBBB75000-memory.dmp	upx
behavioral1/memory/3316-1418-0x00007FFFBB490000-0x00007FFFBB4BC000-memory.dmp	upx
behavioral1/memory/3316-1422-0x00007FFFA91F0000-0x00007FFFA936F000-memory.dmp	upx
behavioral1/memory/3316-1421-0x00007FFFBB330000-0x00007FFFBB354000-memory.dmp	upx
behavioral1/memory/3316-1432-0x00007FFFA8BA0000-0x00007FFFA8C6E000-memory.dmp	upx
behavioral1/memory/3316-1451-0x00007FFFA9370000-0x00007FFFA9A32000-memory.dmp	upx
behavioral1/memory/3316-1464-0x00007FFFBC1D0000-0x00007FFFBC1DD000-memory.dmp	upx
behavioral1/memory/3316-1608-0x00007FFFBBB50000-0x00007FFFBBB75000-memory.dmp	upx
behavioral1/memory/3316-1465-0x00007FFFA8A80000-0x00007FFFA8B9A000-memory.dmp	upx
behavioral1/memory/3316-1463-0x00007FFFB71F0000-0x00007FFFB7204000-memory.dmp	upx
behavioral1/memory/3316-1430-0x00007FFFA8C70000-0x00007FFFA91A3000-memory.dmp	upx
behavioral1/memory/3316-1429-0x00007FFFA91B0000-0x00007FFFA91E3000-memory.dmp	upx
behavioral1/memory/3316-1428-0x00007FFFBDD40000-0x00007FFFBDD4D000-memory.dmp	upx
behavioral1/memory/3316-1427-0x00007FFFBB310000-0x00007FFFBB329000-memory.dmp	upx
behavioral1/memory/3316-1420-0x00007FFFBC130000-0x00007FFFBC149000-memory.dmp	upx
behavioral1/memory/3316-1763-0x00007FFFBB330000-0x00007FFFBB354000-memory.dmp	upx
behavioral1/memory/3316-1859-0x00007FFFA91F0000-0x00007FFFA936F000-memory.dmp	upx
behavioral1/memory/3316-1952-0x00007FFFA8C70000-0x00007FFFA91A3000-memory.dmp	upx
behavioral1/memory/3316-1951-0x00007FFFA91B0000-0x00007FFFA91E3000-memory.dmp	upx
behavioral1/memory/3316-2061-0x00007FFFA8BA0000-0x00007FFFA8C6E000-memory.dmp	upx
behavioral1/memory/2740-2263-0x00007FF6732E0000-0x00007FF673770000-memory.dmp	upx
behavioral1/memory/3316-2321-0x00007FFFA8A80000-0x00007FFFA8B9A000-memory.dmp	upx
behavioral1/memory/3316-2320-0x00007FFFA8C70000-0x00007FFFA91A3000-memory.dmp	upx
behavioral1/memory/3316-2319-0x00007FFFA91B0000-0x00007FFFA91E3000-memory.dmp	upx
behavioral1/memory/3316-2318-0x00007FFFBDD40000-0x00007FFFBDD4D000-memory.dmp	upx
behavioral1/memory/3316-2317-0x00007FFFBB310000-0x00007FFFBB329000-memory.dmp	upx
behavioral1/memory/3316-2316-0x00007FFFA8BA0000-0x00007FFFA8C6E000-memory.dmp	upx
behavioral1/memory/3316-2315-0x00007FFFBB330000-0x00007FFFBB354000-memory.dmp	upx
behavioral1/memory/3316-2314-0x00007FFFBC130000-0x00007FFFBC149000-memory.dmp	upx
behavioral1/memory/3316-2313-0x00007FFFC08E0000-0x00007FFFC08EF000-memory.dmp	upx
behavioral1/memory/3316-2312-0x00007FFFBBB50000-0x00007FFFBBB75000-memory.dmp	upx
behavioral1/memory/3316-2311-0x00007FFFBB490000-0x00007FFFBB4BC000-memory.dmp	upx
behavioral1/memory/3316-2310-0x00007FFFA91F0000-0x00007FFFA936F000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1J17p1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4408	4048	WerFault.exe	136
1040	3644	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	ba75602f28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba75602f28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W5n58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b394g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	U0w71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9feskIx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1c8ef5647.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa0db471c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce24de6ebe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	ba75602f28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1337b32aff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiklfON.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z9Pp9pM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3y47J.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2J9156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C1J7SVw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0db7ba8c1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1J17p1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7104	powershell.exe
3336	PING.EXE
3060	powershell.exe
3184	PING.EXE
872	powershell.exe
1136	PING.EXE

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
2484	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
4812	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
7100	systeminfo.exe

Kills process with taskkill 14 IoCs

pid	Process
4908	taskkill.exe
1952	taskkill.exe
2512	taskkill.exe
5520	taskkill.exe
6372	taskkill.exe
2140	taskkill.exe
6452	taskkill.exe
5664	taskkill.exe
2472	taskkill.exe
384	taskkill.exe
6716	taskkill.exe
4160	taskkill.exe
6236	taskkill.exe
7056	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3184	PING.EXE
1136	PING.EXE
3336	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
408	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3644	9feskIx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	1J17p1.exe
2728	1J17p1.exe
1096	skotes.exe
1096	skotes.exe
32	2J9156.exe
32	2J9156.exe
1856	3y47J.exe
1856	3y47J.exe
3140	4b394g.exe
3140	4b394g.exe
3140	4b394g.exe
3140	4b394g.exe
3060	powershell.exe
3060	powershell.exe
1080	H3tyh96.exe
1080	H3tyh96.exe
1080	H3tyh96.exe
1080	H3tyh96.exe
2128	3EUEYgl.exe
2128	3EUEYgl.exe
3644	9feskIx.exe
3644	9feskIx.exe
2128	3EUEYgl.exe
2128	3EUEYgl.exe
2216	skotes.exe
2216	skotes.exe
4468	Intel_PTT_EK_Recertification.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
4048	e1c8ef5647.exe
4048	e1c8ef5647.exe
1080	H3tyh96.exe
3456	1337b32aff.exe
3456	1337b32aff.exe
2696	ce24de6ebe.exe
2696	ce24de6ebe.exe
3644	9feskIx.exe
3644	9feskIx.exe
3672	0db7ba8c1c.exe
3672	0db7ba8c1c.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3672	0db7ba8c1c.exe
3672	0db7ba8c1c.exe
3672	0db7ba8c1c.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
1080	H3tyh96.exe
1080	H3tyh96.exe
3644	9feskIx.exe
3644	9feskIx.exe
6752	powershell.exe
6752	powershell.exe
6612	powershell.exe
6612	powershell.exe
6716	powershell.exe
6716	powershell.exe
6752	powershell.exe
6612	powershell.exe
6716	powershell.exe
1080	H3tyh96.exe
1080	H3tyh96.exe
5700	skotes.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	4b394g.exe
Token: SeRestorePrivilege	3196	7z.exe
Token: 35	3196	7z.exe
Token: SeSecurityPrivilege	3196	7z.exe
Token: SeSecurityPrivilege	3196	7z.exe
Token: SeRestorePrivilege	3360	7z.exe
Token: 35	3360	7z.exe
Token: SeSecurityPrivilege	3360	7z.exe
Token: SeSecurityPrivilege	3360	7z.exe
Token: SeRestorePrivilege	4680	7z.exe
Token: 35	4680	7z.exe
Token: SeSecurityPrivilege	4680	7z.exe
Token: SeSecurityPrivilege	4680	7z.exe
Token: SeRestorePrivilege	5100	7z.exe
Token: 35	5100	7z.exe
Token: SeSecurityPrivilege	5100	7z.exe
Token: SeSecurityPrivilege	5100	7z.exe
Token: SeRestorePrivilege	1508	7z.exe
Token: 35	1508	7z.exe
Token: SeSecurityPrivilege	1508	7z.exe
Token: SeSecurityPrivilege	1508	7z.exe
Token: SeRestorePrivilege	1756	7z.exe
Token: 35	1756	7z.exe
Token: SeSecurityPrivilege	1756	7z.exe
Token: SeSecurityPrivilege	1756	7z.exe
Token: SeRestorePrivilege	2152	7z.exe
Token: 35	2152	7z.exe
Token: SeSecurityPrivilege	2152	7z.exe
Token: SeSecurityPrivilege	2152	7z.exe
Token: SeRestorePrivilege	3316	7z.exe
Token: 35	3316	7z.exe
Token: SeSecurityPrivilege	3316	7z.exe
Token: SeSecurityPrivilege	3316	7z.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1080	H3tyh96.exe
Token: SeLockMemoryPrivilege	5024	explorer.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	3644	9feskIx.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	3672	0db7ba8c1c.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	3048	firefox.exe
Token: SeDebugPrivilege	3048	firefox.exe
Token: SeIncreaseQuotaPrivilege	6584	WMIC.exe
Token: SeSecurityPrivilege	6584	WMIC.exe
Token: SeTakeOwnershipPrivilege	6584	WMIC.exe
Token: SeLoadDriverPrivilege	6584	WMIC.exe
Token: SeSystemProfilePrivilege	6584	WMIC.exe
Token: SeSystemtimePrivilege	6584	WMIC.exe
Token: SeProfSingleProcessPrivilege	6584	WMIC.exe
Token: SeIncBasePriorityPrivilege	6584	WMIC.exe
Token: SeCreatePagefilePrivilege	6584	WMIC.exe
Token: SeBackupPrivilege	6584	WMIC.exe
Token: SeRestorePrivilege	6584	WMIC.exe
Token: SeShutdownPrivilege	6584	WMIC.exe
Token: SeDebugPrivilege	6584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6584	WMIC.exe
Token: SeRemoteShutdownPrivilege	6584	WMIC.exe
Token: SeUndockPrivilege	6584	WMIC.exe
Token: SeManageVolumePrivilege	6584	WMIC.exe
Token: 33	6584	WMIC.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3008	ba75602f28.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3008	ba75602f28.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3048	firefox.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe
3008	ba75602f28.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1080	H3tyh96.exe
3644	9feskIx.exe
3048	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 4828	556	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	82
PID 556 wrote to memory of 4828	556	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	82
PID 556 wrote to memory of 4828	556	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	82
PID 4828 wrote to memory of 4804	4828	U0w71.exe	83
PID 4828 wrote to memory of 4804	4828	U0w71.exe	83
PID 4828 wrote to memory of 4804	4828	U0w71.exe	83
PID 4804 wrote to memory of 2728	4804	W5n58.exe	84
PID 4804 wrote to memory of 2728	4804	W5n58.exe	84
PID 4804 wrote to memory of 2728	4804	W5n58.exe	84
PID 2728 wrote to memory of 1096	2728	1J17p1.exe	85
PID 2728 wrote to memory of 1096	2728	1J17p1.exe	85
PID 2728 wrote to memory of 1096	2728	1J17p1.exe	85
PID 4804 wrote to memory of 32	4804	W5n58.exe	86
PID 4804 wrote to memory of 32	4804	W5n58.exe	86
PID 4804 wrote to memory of 32	4804	W5n58.exe	86
PID 4828 wrote to memory of 1856	4828	U0w71.exe	87
PID 4828 wrote to memory of 1856	4828	U0w71.exe	87
PID 4828 wrote to memory of 1856	4828	U0w71.exe	87
PID 556 wrote to memory of 3140	556	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	90
PID 556 wrote to memory of 3140	556	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	90
PID 556 wrote to memory of 3140	556	74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe	90
PID 1096 wrote to memory of 5064	1096	skotes.exe	93
PID 1096 wrote to memory of 5064	1096	skotes.exe	93
PID 1096 wrote to memory of 5064	1096	skotes.exe	93
PID 5064 wrote to memory of 3176	5064	C1J7SVw.exe	94
PID 5064 wrote to memory of 3176	5064	C1J7SVw.exe	94
PID 3176 wrote to memory of 4960	3176	cmd.exe	97
PID 3176 wrote to memory of 4960	3176	cmd.exe	97
PID 3176 wrote to memory of 3196	3176	cmd.exe	98
PID 3176 wrote to memory of 3196	3176	cmd.exe	98
PID 3176 wrote to memory of 3360	3176	cmd.exe	99
PID 3176 wrote to memory of 3360	3176	cmd.exe	99
PID 3176 wrote to memory of 4680	3176	cmd.exe	100
PID 3176 wrote to memory of 4680	3176	cmd.exe	100
PID 3176 wrote to memory of 5100	3176	cmd.exe	101
PID 3176 wrote to memory of 5100	3176	cmd.exe	101
PID 3176 wrote to memory of 1508	3176	cmd.exe	102
PID 3176 wrote to memory of 1508	3176	cmd.exe	102
PID 3176 wrote to memory of 1756	3176	cmd.exe	103
PID 3176 wrote to memory of 1756	3176	cmd.exe	103
PID 3176 wrote to memory of 2152	3176	cmd.exe	104
PID 3176 wrote to memory of 2152	3176	cmd.exe	104
PID 3176 wrote to memory of 3316	3176	cmd.exe	105
PID 3176 wrote to memory of 3316	3176	cmd.exe	105
PID 3176 wrote to memory of 3432	3176	cmd.exe	106
PID 3176 wrote to memory of 3432	3176	cmd.exe	106
PID 3176 wrote to memory of 3824	3176	cmd.exe	107
PID 3176 wrote to memory of 3824	3176	cmd.exe	107
PID 3824 wrote to memory of 2128	3824	in.exe	108
PID 3824 wrote to memory of 2128	3824	in.exe	108
PID 3824 wrote to memory of 4428	3824	in.exe	109
PID 3824 wrote to memory of 4428	3824	in.exe	109
PID 3824 wrote to memory of 408	3824	in.exe	110
PID 3824 wrote to memory of 408	3824	in.exe	110
PID 3824 wrote to memory of 3060	3824	in.exe	111
PID 3824 wrote to memory of 3060	3824	in.exe	111
PID 3060 wrote to memory of 3184	3060	powershell.exe	116
PID 3060 wrote to memory of 3184	3060	powershell.exe	116
PID 1096 wrote to memory of 3368	1096	skotes.exe	120
PID 1096 wrote to memory of 3368	1096	skotes.exe	120
PID 1096 wrote to memory of 3368	1096	skotes.exe	120
PID 1096 wrote to memory of 1080	1096	skotes.exe	121
PID 1096 wrote to memory of 1080	1096	skotes.exe	121
PID 1096 wrote to memory of 1080	1096	skotes.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 5 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3628	attrib.exe
6860	attrib.exe
3432	attrib.exe
4428	attrib.exe
2128	attrib.exe

C:\Users\Admin\AppData\Local\Temp\74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe
"C:\Users\Admin\AppData\Local\Temp\74353c3a81ce1d692ac70fb74607a05c8bee2f2e08a524de8222c1f0be935f51.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U0w71.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U0w71.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W5n58.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\W5n58.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17p1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17p1.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\1013561001\C1J7SVw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013561001\C1J7SVw.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\system32\mode.com
        
        mode 65,10
        8⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
        
        C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        8⤵
        Views/modifies file attributes
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        9⤵
        Views/modifies file attributes
        
        PID:2128
        
        C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        9⤵
        Views/modifies file attributes
        
        PID:4428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
      - C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1080
      - C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe" & rd /s /q "C:\ProgramData\UAS0ZM7Y5XBA" & exit
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tpwnww.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tpwnww.exe"
        7⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tpwnww.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tpwnww.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tpwnww.exe'"
        9⤵
        
        PID:5512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tpwnww.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        9⤵
        
        PID:5524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:6128
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        
        PID:6592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:6160
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        
        PID:6656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        9⤵
        
        PID:320
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        9⤵
        Clipboard Data
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        10⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:6752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:4548
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        
        PID:7076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:3540
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:7064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        9⤵
        
        PID:6308
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        10⤵
        Gathers system information
        
        PID:7100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        9⤵
        
        PID:6232
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        10⤵
        
        PID:7092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:5172
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:5760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:5744
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        9⤵
        
        PID:5072
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        10⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:6228
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:6468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:6484
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:6972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        9⤵
        
        PID:6620
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        10⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        9⤵
        
        PID:6948
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        10⤵
        
        PID:5068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        9⤵
        
        PID:6792
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        10⤵
        Enumerates processes with tasklist
        
        PID:4300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3048"
        9⤵
        
        PID:3536
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3048
        10⤵
        Kills process with taskkill
        
        PID:6236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4088"
        9⤵
        
        PID:5572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4088
        10⤵
        Kills process with taskkill
        
        PID:7056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3984"
        9⤵
        
        PID:6244
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3984
        10⤵
        Kills process with taskkill
        
        PID:6716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2864"
        9⤵
        
        PID:6032
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2864
        10⤵
        Kills process with taskkill
        
        PID:5520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1844"
        9⤵
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1844
        10⤵
        Kills process with taskkill
        
        PID:6452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6956"
        9⤵
        
        PID:6356
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 6956
        10⤵
        Kills process with taskkill
        
        PID:6372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5704"
        9⤵
        
        PID:7140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5704
        10⤵
        Kills process with taskkill
        
        PID:5664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5716"
        9⤵
        
        PID:6776
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5716
        10⤵
        Kills process with taskkill
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5728"
        9⤵
        
        PID:4760
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5728
        10⤵
        Kills process with taskkill
        
        PID:384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        9⤵
        
        PID:4700
        
        C:\Windows\system32\getmac.exe
        
        getmac
        10⤵
        
        PID:1820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI23962\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\izxiX.zip" *"
        9⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\_MEI23962\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI23962\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\izxiX.zip" *
        10⤵
        Executes dropped EXE
        
        PID:6460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        9⤵
        
        PID:6952
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        10⤵
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        9⤵
        
        PID:6948
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        10⤵
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        9⤵
        
        PID:5388
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        10⤵
        
        PID:6660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        9⤵
        
        PID:5412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        9⤵
        
        PID:5636
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:4812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        9⤵
        
        PID:2140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        10⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 3024
        7⤵
        Program crash
        
        PID:1040
      - C:\Users\Admin\AppData\Local\Temp\1013851001\e1c8ef5647.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013851001\e1c8ef5647.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 780
        7⤵
        Program crash
        
        PID:4408
      - C:\Users\Admin\AppData\Local\Temp\1013852001\fa0db471c4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013852001\fa0db471c4.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1412
      - C:\Users\Admin\AppData\Local\Temp\1013853001\1337b32aff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013853001\1337b32aff.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3456
      - C:\Users\Admin\AppData\Local\Temp\1013854001\ce24de6ebe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013854001\ce24de6ebe.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
      - C:\Users\Admin\AppData\Local\Temp\1013855001\ba75602f28.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013855001\ba75602f28.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3008
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:3892
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79be303b-fb63-4d1f-b042-7cfe72dae42d} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" gpu
        9⤵
        
        PID:4088
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2496 -prefMapHandle 2484 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {755d4240-9598-4df3-b8f3-a8abe7fe6056} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" socket
        9⤵
        
        PID:3984
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3088 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7c39ec-37f4-4b96-a7c0-662b4b2f5d08} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
        9⤵
        
        PID:2864
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 2 -isForBrowser -prefsHandle 3788 -prefMapHandle 2688 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61ae0ed7-7847-48f0-b408-f191b06eafc0} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
        9⤵
        
        PID:1844
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4900 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5782bfb-de09-4bf2-85af-279fe205ba03} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" utility
        9⤵
        Checks processor information in registry
        
        PID:6956
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -childID 3 -isForBrowser -prefsHandle 5620 -prefMapHandle 5284 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2e82cb8-954d-4759-9a43-ee0e3e526c84} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
        9⤵
        
        PID:5704
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 4 -isForBrowser -prefsHandle 5804 -prefMapHandle 5808 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eab48add-0bf0-4ff7-b4a6-91a54add706c} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
        9⤵
        
        PID:5716
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 5 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab0da907-c981-4a84-91e2-6e455f070fb1} 3048 "\\.\pipe\gecko-crash-server-pipe.3048" tab
        9⤵
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\1013856001\0db7ba8c1c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013856001\0db7ba8c1c.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2J9156.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2J9156.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:32
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3y47J.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3y47J.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4b394g.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4b394g.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Windows security modification
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3140

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4468
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4048 -ip 4048
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3644 -ip 3644
1⤵
PID:6824

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5700

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2740
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:7104
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion