amadey | ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	22e5ab3327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	22e5ab3327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	22e5ab3327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	22e5ab3327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	22e5ab3327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	22e5ab3327.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	48fa0ab4bd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c4307adc9f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	22e5ab3327.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
3344	powershell.exe
3708	powershell.exe
4040	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	IDEK.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48fa0ab4bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c4307adc9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	22e5ab3327.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48fa0ab4bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c4307adc9f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	22e5ab3327.exe

Executes dropped EXE 7 IoCs

pid	Process
2576	skotes.exe
2172	DLER214.exe
1880	48fa0ab4bd.exe
1140	c4307adc9f.exe
2116	303139718c.exe
1240	22e5ab3327.exe
1940	IDEK.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	48fa0ab4bd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	c4307adc9f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	22e5ab3327.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe

Loads dropped DLL 15 IoCs

pid	Process
2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
2576	skotes.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
2576	skotes.exe
2576	skotes.exe
2576	skotes.exe
2576	skotes.exe
2576	skotes.exe
2576	skotes.exe
2576	skotes.exe
2576	skotes.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	22e5ab3327.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	22e5ab3327.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\48fa0ab4bd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004066001\\48fa0ab4bd.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4307adc9f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004067001\\c4307adc9f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\303139718c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004068001\\303139718c.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\22e5ab3327.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004069001\\22e5ab3327.exe"	skotes.exe

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2232	powercfg.exe
2424	powercfg.exe
3844	powercfg.exe
3824	powercfg.exe
3804	powercfg.exe
3836	powercfg.exe
2520	powercfg.exe
2116	powercfg.exe
3808	powercfg.exe
4056	powercfg.exe
908	powercfg.exe
2104	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00050000000191df-94.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	IDEK.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
2576	skotes.exe
1880	48fa0ab4bd.exe
1140	c4307adc9f.exe
1240	22e5ab3327.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 2904	1940	IDEK.exe	82

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2904	sc.exe
3236	sc.exe
2040	sc.exe
2464	sc.exe
2288	sc.exe
3640	sc.exe
3224	sc.exe
2360	sc.exe
3588	sc.exe
3632	sc.exe
3392	sc.exe
2360	sc.exe
536	sc.exe
1724	sc.exe
3360	sc.exe
2240	sc.exe
3728	sc.exe
3776	sc.exe
3700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	2172	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	303139718c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22e5ab3327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DLER214.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48fa0ab4bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4307adc9f.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2244	taskkill.exe
2908	taskkill.exe
2200	taskkill.exe
1944	taskkill.exe
1712	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
2576	skotes.exe
1880	48fa0ab4bd.exe
1140	c4307adc9f.exe
2116	303139718c.exe
2116	303139718c.exe
1240	22e5ab3327.exe
1240	22e5ab3327.exe
1240	22e5ab3327.exe
1940	IDEK.exe
2104	powershell.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
1940	IDEK.exe
2904	dialer.exe
2904	dialer.exe
2904	dialer.exe
2904	dialer.exe
2904	dialer.exe
2904	dialer.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
2904	dialer.exe
2904	dialer.exe
2904	dialer.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
1940	IDEK.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
2904	dialer.exe
2904	dialer.exe
2904	dialer.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
848	svchost.exe
1940	IDEK.exe
1940	IDEK.exe
848	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	DLER214.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	1240	22e5ab3327.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2904	dialer.exe
Token: SeShutdownPrivilege	2520	powercfg.exe
Token: SeShutdownPrivilege	2116	powercfg.exe
Token: SeShutdownPrivilege	2232	powercfg.exe
Token: SeShutdownPrivilege	2424	powercfg.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe
2116	303139718c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2576	2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe	30
PID 2432 wrote to memory of 2576	2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe	30
PID 2432 wrote to memory of 2576	2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe	30
PID 2432 wrote to memory of 2576	2432	ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe	30
PID 2576 wrote to memory of 2172	2576	skotes.exe	31
PID 2576 wrote to memory of 2172	2576	skotes.exe	31
PID 2576 wrote to memory of 2172	2576	skotes.exe	31
PID 2576 wrote to memory of 2172	2576	skotes.exe	31
PID 2172 wrote to memory of 1520	2172	DLER214.exe	33
PID 2172 wrote to memory of 1520	2172	DLER214.exe	33
PID 2172 wrote to memory of 1520	2172	DLER214.exe	33
PID 2172 wrote to memory of 1520	2172	DLER214.exe	33
PID 2576 wrote to memory of 1880	2576	skotes.exe	34
PID 2576 wrote to memory of 1880	2576	skotes.exe	34
PID 2576 wrote to memory of 1880	2576	skotes.exe	34
PID 2576 wrote to memory of 1880	2576	skotes.exe	34
PID 2576 wrote to memory of 1140	2576	skotes.exe	36
PID 2576 wrote to memory of 1140	2576	skotes.exe	36
PID 2576 wrote to memory of 1140	2576	skotes.exe	36
PID 2576 wrote to memory of 1140	2576	skotes.exe	36
PID 2576 wrote to memory of 2116	2576	skotes.exe	37
PID 2576 wrote to memory of 2116	2576	skotes.exe	37
PID 2576 wrote to memory of 2116	2576	skotes.exe	37
PID 2576 wrote to memory of 2116	2576	skotes.exe	37
PID 2116 wrote to memory of 2244	2116	303139718c.exe	38
PID 2116 wrote to memory of 2244	2116	303139718c.exe	38
PID 2116 wrote to memory of 2244	2116	303139718c.exe	38
PID 2116 wrote to memory of 2244	2116	303139718c.exe	38
PID 2116 wrote to memory of 2908	2116	303139718c.exe	40
PID 2116 wrote to memory of 2908	2116	303139718c.exe	40
PID 2116 wrote to memory of 2908	2116	303139718c.exe	40
PID 2116 wrote to memory of 2908	2116	303139718c.exe	40
PID 2116 wrote to memory of 2200	2116	303139718c.exe	42
PID 2116 wrote to memory of 2200	2116	303139718c.exe	42
PID 2116 wrote to memory of 2200	2116	303139718c.exe	42
PID 2116 wrote to memory of 2200	2116	303139718c.exe	42
PID 2116 wrote to memory of 1944	2116	303139718c.exe	44
PID 2116 wrote to memory of 1944	2116	303139718c.exe	44
PID 2116 wrote to memory of 1944	2116	303139718c.exe	44
PID 2116 wrote to memory of 1944	2116	303139718c.exe	44
PID 2116 wrote to memory of 1712	2116	303139718c.exe	46
PID 2116 wrote to memory of 1712	2116	303139718c.exe	46
PID 2116 wrote to memory of 1712	2116	303139718c.exe	46
PID 2116 wrote to memory of 1712	2116	303139718c.exe	46
PID 2116 wrote to memory of 2824	2116	303139718c.exe	48
PID 2116 wrote to memory of 2824	2116	303139718c.exe	48
PID 2116 wrote to memory of 2824	2116	303139718c.exe	48
PID 2116 wrote to memory of 2824	2116	303139718c.exe	48
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2824 wrote to memory of 2728	2824	firefox.exe	49
PID 2728 wrote to memory of 2432	2728	firefox.exe	50
PID 2728 wrote to memory of 2432	2728	firefox.exe	50
PID 2728 wrote to memory of 2432	2728	firefox.exe	50
PID 2728 wrote to memory of 1556	2728	firefox.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1244
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1488
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:1296
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:348
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1072
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1108
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1092
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2892
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2088
- C:\ProgramData\Google\Chrome\updater.exe
  C:\ProgramData\Google\Chrome\updater.exe
  2⤵
  PID:3264
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3576
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3628
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3588
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3640
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3700
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3728
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3776
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:3804
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3808
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3824
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3844
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:3908
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3708
  - - C:\ProgramData\Google\Chrome\updater.exe
      "C:\ProgramData\Google\Chrome\updater.exe"
      4⤵
      PID:3748
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3180
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:1932
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3632
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2360
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3392
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:3236
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:3224
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:2104
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:908
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:3836
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:4056
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:3280
    - - C:\Windows\system32\dialer.exe
        
        dialer.exe
        5⤵
        
        PID:3596
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:4012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe
  "C:\Users\Admin\AppData\Local\Temp\ac0b68558b6952cba1922a80d3c687c3789909db072e27ac0d0be6e2169f7ac6.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe
      "C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1076
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\1004066001\48fa0ab4bd.exe
      "C:\Users\Admin\AppData\Local\Temp\1004066001\48fa0ab4bd.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\1004067001\c4307adc9f.exe
      "C:\Users\Admin\AppData\Local\Temp\1004067001\c4307adc9f.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\1004068001\303139718c.exe
      "C:\Users\Admin\AppData\Local\Temp\1004068001\303139718c.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        6⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.0.1806544885\1931213873" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38f7b4d1-5b12-42ff-84dd-8916b0d121f7} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 1280 112d7e58 gpu
        7⤵
        
        PID:2432
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.1.1824718330\355628705" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e730873-4f95-457b-a532-42a42fd80562} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 1496 e74258 socket
        7⤵
        
        PID:1556
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.2.325026125\1735163912" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae49892c-8c42-4b5a-b253-1bef99f33454} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 2100 1a296358 tab
        7⤵
        
        PID:1044
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.3.506017690\126761659" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {836f71f3-dfee-4fb3-917f-5b222d483399} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 2908 1d3d9658 tab
        7⤵
        
        PID:1828
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.4.252885092\440843252" -childID 3 -isForBrowser -prefsHandle 3720 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29cf8800-467f-4496-974c-51c5b9768871} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3820 202fb858 tab
        7⤵
        
        PID:1088
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.5.938538595\2135173875" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32a5dee7-87d2-4edb-a41e-6de22725b171} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3916 202fa358 tab
        7⤵
        
        PID:2964
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.6.1606130148\324010270" -childID 5 -isForBrowser -prefsHandle 3996 -prefMapHandle 3940 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d05e361-62eb-44dd-8c0d-8339d342c5f9} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3984 202fa658 tab
        7⤵
        
        PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\1004069001\22e5ab3327.exe
      "C:\Users\Admin\AppData\Local\Temp\1004069001\22e5ab3327.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Windows security modification
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1240
  - - C:\Users\Admin\AppData\Local\Temp\1004070001\IDEK.exe
      "C:\Users\Admin\AppData\Local\Temp\1004070001\IDEK.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1940
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2356
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:2108
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2904
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2040
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2360
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:536
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1724
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:2464
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:3360
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2288
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7950645011799387912-1746644307203842189917111947791135731266-1067276836-495584432"
1⤵
PID:908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "164487150715696552061306892373114385555495788033516349158771732891448593064859"
1⤵
PID:540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15612162272140919752-1185178057206806709127353233297088164614826395311710448112"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1182724255-17552632254615984409047585524591222457476793369390772842091221956"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1707771748-2124086545-21028837732097430248810348451893779841-2018107433932543542"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "410951321-97278428-410010812-114741359721231025681995632062-610083996-268430424"
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion