amadey | bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	a60831c19d.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d2685c2275.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7eff8ba03f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	224e7b0ef4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JHP6U8VNYR5ZQNDVC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	OO0U0BZ4FUI6HHA2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a60831c19d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	83dfb7f35d.exe

Downloads MZ/PE file 8 IoCs

flow	pid	Process
8	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
14	2428	skotes.exe
14	2428	skotes.exe
14	2428	skotes.exe
14	2428	skotes.exe
14	2428	skotes.exe
14	2428	skotes.exe
18	2976	BitLockerToGo.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1348	chrome.exe
2196	chrome.exe
2320	chrome.exe
1556	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x00050000000195cc-169.dat	net_reactor
behavioral1/memory/1756-189-0x0000000000E60000-0x0000000000F1E000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2685c2275.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a60831c19d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a60831c19d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	224e7b0ef4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	83dfb7f35d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OO0U0BZ4FUI6HHA2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7eff8ba03f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	224e7b0ef4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JHP6U8VNYR5ZQNDVC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OO0U0BZ4FUI6HHA2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d2685c2275.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	83dfb7f35d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7eff8ba03f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JHP6U8VNYR5ZQNDVC.exe

Executes dropped EXE 10 IoCs

pid	Process
2544	JHP6U8VNYR5ZQNDVC.exe
1860	OO0U0BZ4FUI6HHA2.exe
2428	skotes.exe
1140	d2685c2275.exe
2480	a60831c19d.exe
2820	7eff8ba03f.exe
1916	224e7b0ef4.exe
1756	b3c5c758bc.exe
820	b3c5c758bc.exe
2920	83dfb7f35d.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	d2685c2275.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	a60831c19d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	7eff8ba03f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	83dfb7f35d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	OO0U0BZ4FUI6HHA2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	224e7b0ef4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	JHP6U8VNYR5ZQNDVC.exe

Loads dropped DLL 25 IoCs

pid	Process
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1860	OO0U0BZ4FUI6HHA2.exe
1860	OO0U0BZ4FUI6HHA2.exe
2428	skotes.exe
2428	skotes.exe
2428	skotes.exe
2428	skotes.exe
2428	skotes.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2428	skotes.exe
2428	skotes.exe
1756	b3c5c758bc.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
2272	WerFault.exe
2428	skotes.exe
2428	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	83dfb7f35d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
2544	JHP6U8VNYR5ZQNDVC.exe
1860	OO0U0BZ4FUI6HHA2.exe
2428	skotes.exe
1140	d2685c2275.exe
2480	a60831c19d.exe
2820	7eff8ba03f.exe
1916	224e7b0ef4.exe
2920	83dfb7f35d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 2976	1140	d2685c2275.exe	38
PID 1756 set thread context of 820	1756	b3c5c758bc.exe	46

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	OO0U0BZ4FUI6HHA2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2636	2820	WerFault.exe	40
2272	1756	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a60831c19d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3c5c758bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JHP6U8VNYR5ZQNDVC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2685c2275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7eff8ba03f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	224e7b0ef4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3c5c758bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OO0U0BZ4FUI6HHA2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a60831c19d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a60831c19d.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

defense_evasion spyware trojan

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	224e7b0ef4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	224e7b0ef4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	224e7b0ef4.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
2544	JHP6U8VNYR5ZQNDVC.exe
1860	OO0U0BZ4FUI6HHA2.exe
2428	skotes.exe
1140	d2685c2275.exe
2480	a60831c19d.exe
2480	a60831c19d.exe
2480	a60831c19d.exe
2480	a60831c19d.exe
2480	a60831c19d.exe
2480	a60831c19d.exe
2820	7eff8ba03f.exe
2820	7eff8ba03f.exe
2820	7eff8ba03f.exe
2820	7eff8ba03f.exe
2820	7eff8ba03f.exe
1916	224e7b0ef4.exe
820	b3c5c758bc.exe
820	b3c5c758bc.exe
820	b3c5c758bc.exe
820	b3c5c758bc.exe
2920	83dfb7f35d.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe
Token: SeShutdownPrivilege	1348	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1860	OO0U0BZ4FUI6HHA2.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe
1348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2544	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	32
PID 1620 wrote to memory of 2544	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	32
PID 1620 wrote to memory of 2544	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	32
PID 1620 wrote to memory of 2544	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	32
PID 1620 wrote to memory of 1860	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	33
PID 1620 wrote to memory of 1860	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	33
PID 1620 wrote to memory of 1860	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	33
PID 1620 wrote to memory of 1860	1620	bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe	33
PID 1860 wrote to memory of 2428	1860	OO0U0BZ4FUI6HHA2.exe	34
PID 1860 wrote to memory of 2428	1860	OO0U0BZ4FUI6HHA2.exe	34
PID 1860 wrote to memory of 2428	1860	OO0U0BZ4FUI6HHA2.exe	34
PID 1860 wrote to memory of 2428	1860	OO0U0BZ4FUI6HHA2.exe	34
PID 2428 wrote to memory of 1140	2428	skotes.exe	36
PID 2428 wrote to memory of 1140	2428	skotes.exe	36
PID 2428 wrote to memory of 1140	2428	skotes.exe	36
PID 2428 wrote to memory of 1140	2428	skotes.exe	36
PID 2428 wrote to memory of 2480	2428	skotes.exe	37
PID 2428 wrote to memory of 2480	2428	skotes.exe	37
PID 2428 wrote to memory of 2480	2428	skotes.exe	37
PID 2428 wrote to memory of 2480	2428	skotes.exe	37
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 1140 wrote to memory of 2976	1140	d2685c2275.exe	38
PID 2428 wrote to memory of 2820	2428	skotes.exe	40
PID 2428 wrote to memory of 2820	2428	skotes.exe	40
PID 2428 wrote to memory of 2820	2428	skotes.exe	40
PID 2428 wrote to memory of 2820	2428	skotes.exe	40
PID 2820 wrote to memory of 2636	2820	7eff8ba03f.exe	42
PID 2820 wrote to memory of 2636	2820	7eff8ba03f.exe	42
PID 2820 wrote to memory of 2636	2820	7eff8ba03f.exe	42
PID 2820 wrote to memory of 2636	2820	7eff8ba03f.exe	42
PID 2428 wrote to memory of 1916	2428	skotes.exe	43
PID 2428 wrote to memory of 1916	2428	skotes.exe	43
PID 2428 wrote to memory of 1916	2428	skotes.exe	43
PID 2428 wrote to memory of 1916	2428	skotes.exe	43
PID 2428 wrote to memory of 1756	2428	skotes.exe	45
PID 2428 wrote to memory of 1756	2428	skotes.exe	45
PID 2428 wrote to memory of 1756	2428	skotes.exe	45
PID 2428 wrote to memory of 1756	2428	skotes.exe	45
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 820	1756	b3c5c758bc.exe	46
PID 1756 wrote to memory of 2272	1756	b3c5c758bc.exe	47
PID 1756 wrote to memory of 2272	1756	b3c5c758bc.exe	47
PID 1756 wrote to memory of 2272	1756	b3c5c758bc.exe	47
PID 1756 wrote to memory of 2272	1756	b3c5c758bc.exe	47
PID 2428 wrote to memory of 2920	2428	skotes.exe	48
PID 2428 wrote to memory of 2920	2428	skotes.exe	48
PID 2428 wrote to memory of 2920	2428	skotes.exe	48

C:\Users\Admin\AppData\Local\Temp\bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe
"C:\Users\Admin\AppData\Local\Temp\bdcf554198a5dc7d2367103854d9ab0088302d7a3d60b9b71a4882afb537b7b2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\JHP6U8VNYR5ZQNDVC.exe
  "C:\Users\Admin\AppData\Local\Temp\JHP6U8VNYR5ZQNDVC.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\OO0U0BZ4FUI6HHA2.exe
  "C:\Users\Admin\AppData\Local\Temp\OO0U0BZ4FUI6HHA2.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\1069301001\d2685c2275.exe
      "C:\Users\Admin\AppData\Local\Temp\1069301001\d2685c2275.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        5⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\1069302001\a60831c19d.exe
      "C:\Users\Admin\AppData\Local\Temp\1069302001\a60831c19d.exe"
      4⤵
      Enumerates VirtualBox registry keys
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2480
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1348
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef8089758,0x7fef8089768,0x7fef8089778
        6⤵
        
        PID:2180
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:572
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:2
        6⤵
        
        PID:372
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:8
        6⤵
        
        PID:2592
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:8
        6⤵
        
        PID:1508
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2320
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2196
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3248 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:2
        6⤵
        
        PID:2976
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1300 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3532 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:8
        6⤵
        
        PID:1628
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1372 --field-trial-handle=1280,i,5911918677510171048,8145694989003608598,131072 /prefetch:8
        6⤵
        
        PID:304
  - - C:\Users\Admin\AppData\Local\Temp\1069303001\7eff8ba03f.exe
      "C:\Users\Admin\AppData\Local\Temp\1069303001\7eff8ba03f.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1232
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\1069304001\224e7b0ef4.exe
      "C:\Users\Admin\AppData\Local\Temp\1069304001\224e7b0ef4.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\1069305001\b3c5c758bc.exe
      "C:\Users\Admin\AppData\Local\Temp\1069305001\b3c5c758bc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\1069305001\b3c5c758bc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069305001\b3c5c758bc.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 516
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\1069306001\83dfb7f35d.exe
      "C:\Users\Admin\AppData\Local\Temp\1069306001\83dfb7f35d.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion