d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe

Executes dropped EXE 11 IoCs

pid	Process
2880	Bahhhh.exe
3860	Berkelium.exe
1768	Boron.exe
3420	Californium.exe
4088	CatDaMBR.exe
4856	Cobalt.exe
1920	Curium.exe
2936	Einsteinium.exe
2132	EternalOrange.exe
2416	Fermium.exe
5492	Flerovium.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CustomMBR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CatDaMBR.exe -BypassWarning"	CatDaMBR.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3492	GameBarPresenceWriter.exe

Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Einsteinium.exe
File opened for modification	\??\PhysicalDrive0	Flerovium.exe
File opened for modification	\??\PhysicalDrive0	Curium.exe
File opened for modification	\??\PhysicalDrive0	Boron.exe
File opened for modification	\??\PhysicalDrive0	Cobalt.exe
File opened for modification	\??\PhysicalDrive0	Berkelium.exe
File opened for modification	\??\PhysicalDrive0	CatDaMBR.exe
File opened for modification	\??\PhysicalDrive0	Fermium.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5624	3228	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fermium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Curium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Berkelium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Californium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flerovium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahhhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobalt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CatDaMBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EternalOrange.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boron.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Einsteinium.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
1656	taskkill.exe
3812	taskkill.exe
2572	taskkill.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "212"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1294999112-580688058-1763548717-1000\{851FA38C-DC9E-43C7-82CA-056FC643E217}	svchost.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry

T1112

pid	Process
5172	reg.exe
1464	reg.exe
2200	reg.exe
4472	reg.exe
1924	reg.exe
464	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2052	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1768	Boron.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3924	dwm.exe
Token: SeChangeNotifyPrivilege	3924	dwm.exe
Token: 33	3924	dwm.exe
Token: SeIncBasePriorityPrivilege	3924	dwm.exe
Token: SeCreateGlobalPrivilege	1532	dwm.exe
Token: SeChangeNotifyPrivilege	1532	dwm.exe
Token: 33	1532	dwm.exe
Token: SeIncBasePriorityPrivilege	1532	dwm.exe
Token: SeShutdownPrivilege	4088	CatDaMBR.exe
Token: SeDebugPrivilege	2416	Fermium.exe
Token: SeDebugPrivilege	2936	Einsteinium.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: 33	3688	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3688	AUDIODG.EXE
Token: SeDebugPrivilege	1920	Curium.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	3860	Berkelium.exe
Token: SeShutdownPrivilege	1532	dwm.exe
Token: SeCreatePagefilePrivilege	1532	dwm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4088	CatDaMBR.exe
5304	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2880	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	86
PID 3228 wrote to memory of 2880	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	86
PID 3228 wrote to memory of 2880	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	86
PID 3228 wrote to memory of 3860	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	87
PID 3228 wrote to memory of 3860	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	87
PID 3228 wrote to memory of 3860	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	87
PID 3228 wrote to memory of 1768	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	88
PID 3228 wrote to memory of 1768	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	88
PID 3228 wrote to memory of 1768	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	88
PID 3228 wrote to memory of 3420	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	89
PID 3228 wrote to memory of 3420	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	89
PID 3228 wrote to memory of 3420	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	89
PID 3228 wrote to memory of 4088	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	90
PID 3228 wrote to memory of 4088	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	90
PID 3228 wrote to memory of 4088	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	90
PID 3228 wrote to memory of 4856	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	91
PID 3228 wrote to memory of 4856	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	91
PID 3228 wrote to memory of 4856	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	91
PID 3228 wrote to memory of 1920	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	92
PID 3228 wrote to memory of 1920	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	92
PID 3228 wrote to memory of 1920	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	92
PID 3228 wrote to memory of 5676	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	93
PID 3228 wrote to memory of 5676	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	93
PID 3228 wrote to memory of 5676	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	93
PID 3228 wrote to memory of 2936	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	94
PID 3228 wrote to memory of 2936	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	94
PID 3228 wrote to memory of 2936	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	94
PID 3228 wrote to memory of 2132	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	96
PID 3228 wrote to memory of 2132	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	96
PID 3228 wrote to memory of 2132	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	96
PID 3228 wrote to memory of 2416	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	97
PID 3228 wrote to memory of 2416	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	97
PID 3228 wrote to memory of 2416	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	97
PID 3228 wrote to memory of 5492	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	99
PID 3228 wrote to memory of 5492	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	99
PID 3228 wrote to memory of 5492	3228	6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe	99
PID 4088 wrote to memory of 2052	4088	CatDaMBR.exe	110
PID 4088 wrote to memory of 2052	4088	CatDaMBR.exe	110
PID 4088 wrote to memory of 2052	4088	CatDaMBR.exe	110
PID 5492 wrote to memory of 3188	5492	Flerovium.exe	114
PID 5492 wrote to memory of 3188	5492	Flerovium.exe	114
PID 5492 wrote to memory of 3188	5492	Flerovium.exe	114
PID 3188 wrote to memory of 1656	3188	cmd.exe	117
PID 3188 wrote to memory of 1656	3188	cmd.exe	117
PID 3188 wrote to memory of 1656	3188	cmd.exe	117
PID 5492 wrote to memory of 5972	5492	Flerovium.exe	119
PID 5492 wrote to memory of 5972	5492	Flerovium.exe	119
PID 5492 wrote to memory of 5972	5492	Flerovium.exe	119
PID 5972 wrote to memory of 2200	5972	cmd.exe	121
PID 5972 wrote to memory of 2200	5972	cmd.exe	121
PID 5972 wrote to memory of 2200	5972	cmd.exe	121
PID 5492 wrote to memory of 5092	5492	Flerovium.exe	122
PID 5492 wrote to memory of 5092	5492	Flerovium.exe	122
PID 5492 wrote to memory of 5092	5492	Flerovium.exe	122
PID 5092 wrote to memory of 4472	5092	cmd.exe	124
PID 5092 wrote to memory of 4472	5092	cmd.exe	124
PID 5092 wrote to memory of 4472	5092	cmd.exe	124
PID 4856 wrote to memory of 3512	4856	Cobalt.exe	126
PID 4856 wrote to memory of 3512	4856	Cobalt.exe	126
PID 4856 wrote to memory of 3512	4856	Cobalt.exe	126
PID 1768 wrote to memory of 2924	1768	Boron.exe	127
PID 1768 wrote to memory of 2924	1768	Boron.exe	127
PID 1768 wrote to memory of 2924	1768	Boron.exe	127
PID 2924 wrote to memory of 3812	2924	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe
"C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\6abdd72e82088f5aab90dc9e02f2d9781cea1b3f1c84b3f16df4810956f68ef2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\Bahhhh.exe
  "C:\Users\Admin\AppData\Local\Temp\Bahhhh.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\Berkelium.exe
  "C:\Users\Admin\AppData\Local\Temp\Berkelium.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Users\Admin\AppData\Local\Temp\Boron.exe
  "C:\Users\Admin\AppData\Local\Temp\Boron.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG DELETE HKCU /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6068
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKCU /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5172
- C:\Users\Admin\AppData\Local\Temp\Californium.exe
  "C:\Users\Admin\AppData\Local\Temp\Californium.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3420
- C:\Users\Admin\AppData\Local\Temp\CatDaMBR.exe
  "C:\Users\Admin\AppData\Local\Temp\CatDaMBR.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN CustomMBR /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\CatDaMBR.exe -BypassWarning"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\Cobalt.exe
  "C:\Users\Admin\AppData\Local\Temp\Cobalt.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG DELETE HKCU /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKCU /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:576
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1464
- C:\Users\Admin\AppData\Local\Temp\Curium.exe
  "C:\Users\Admin\AppData\Local\Temp\Curium.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eee.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5676
- C:\Users\Admin\AppData\Local\Temp\Einsteinium.exe
  "C:\Users\Admin\AppData\Local\Temp\Einsteinium.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\EternalOrange.exe
  "C:\Users\Admin\AppData\Local\Temp\EternalOrange.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\Fermium.exe
  "C:\Users\Admin\AppData\Local\Temp\Fermium.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\Flerovium.exe
  "C:\Users\Admin\AppData\Local\Temp\Flerovium.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG DELETE HKCU /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5972
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE HKCU /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1832
  2⤵
  - Program crash
  PID:5624

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:3492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3228 -ip 3228
1⤵
PID:3864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3951855 /state1:0x41c64e6d
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x474 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3917055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery