amadey | a4e844ff190e6bb8c0afab32f76630758d7b196ae40062765ab8ff457bf1b9b3

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c28f44e1bf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	c28f44e1bf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c28f44e1bf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	c28f44e1bf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c28f44e1bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c28f44e1bf.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3d8198b544.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cfe3547a69.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	70190cef02.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c28f44e1bf.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3d8198b544.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cfe3547a69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	70190cef02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c28f44e1bf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3d8198b544.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cfe3547a69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	70190cef02.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c28f44e1bf.exe

Executes dropped EXE 6 IoCs

pid	Process
2848	skotes.exe
444	3d8198b544.exe
3052	cfe3547a69.exe
1792	70190cef02.exe
2636	cbc48e074f.exe
3216	c28f44e1bf.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	3d8198b544.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	cfe3547a69.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	70190cef02.exe
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	c28f44e1bf.exe

Loads dropped DLL 11 IoCs

pid	Process
2296	file.exe
2296	file.exe
2848	skotes.exe
2848	skotes.exe
2848	skotes.exe
2848	skotes.exe
2848	skotes.exe
2848	skotes.exe
2848	skotes.exe
2848	skotes.exe
444	3d8198b544.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	c28f44e1bf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c28f44e1bf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\c28f44e1bf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013609001\\c28f44e1bf.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfe3547a69.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013606001\\cfe3547a69.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\70190cef02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013607001\\70190cef02.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\cbc48e074f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013608001\\cbc48e074f.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019cba-104.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2296	file.exe
2848	skotes.exe
444	3d8198b544.exe
3052	cfe3547a69.exe
1792	70190cef02.exe
3216	c28f44e1bf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c28f44e1bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	cbc48e074f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfe3547a69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70190cef02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	cbc48e074f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbc48e074f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d8198b544.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
300	taskkill.exe
1688	taskkill.exe
2052	taskkill.exe
2344	taskkill.exe
2172	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2296	file.exe
2848	skotes.exe
444	3d8198b544.exe
3052	cfe3547a69.exe
1792	70190cef02.exe
2636	cbc48e074f.exe
3216	c28f44e1bf.exe
3216	c28f44e1bf.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
3216	c28f44e1bf.exe
3216	c28f44e1bf.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2952	firefox.exe
Token: SeDebugPrivilege	2952	firefox.exe
Token: SeDebugPrivilege	3216	c28f44e1bf.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2296	file.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2952	firefox.exe
2952	firefox.exe
2952	firefox.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe
2636	cbc48e074f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2848	2296	file.exe	30
PID 2296 wrote to memory of 2848	2296	file.exe	30
PID 2296 wrote to memory of 2848	2296	file.exe	30
PID 2296 wrote to memory of 2848	2296	file.exe	30
PID 2848 wrote to memory of 444	2848	skotes.exe	32
PID 2848 wrote to memory of 444	2848	skotes.exe	32
PID 2848 wrote to memory of 444	2848	skotes.exe	32
PID 2848 wrote to memory of 444	2848	skotes.exe	32
PID 2848 wrote to memory of 3052	2848	skotes.exe	33
PID 2848 wrote to memory of 3052	2848	skotes.exe	33
PID 2848 wrote to memory of 3052	2848	skotes.exe	33
PID 2848 wrote to memory of 3052	2848	skotes.exe	33
PID 2848 wrote to memory of 1792	2848	skotes.exe	35
PID 2848 wrote to memory of 1792	2848	skotes.exe	35
PID 2848 wrote to memory of 1792	2848	skotes.exe	35
PID 2848 wrote to memory of 1792	2848	skotes.exe	35
PID 2848 wrote to memory of 2636	2848	skotes.exe	37
PID 2848 wrote to memory of 2636	2848	skotes.exe	37
PID 2848 wrote to memory of 2636	2848	skotes.exe	37
PID 2848 wrote to memory of 2636	2848	skotes.exe	37
PID 2636 wrote to memory of 300	2636	cbc48e074f.exe	38
PID 2636 wrote to memory of 300	2636	cbc48e074f.exe	38
PID 2636 wrote to memory of 300	2636	cbc48e074f.exe	38
PID 2636 wrote to memory of 300	2636	cbc48e074f.exe	38
PID 2636 wrote to memory of 1688	2636	cbc48e074f.exe	40
PID 2636 wrote to memory of 1688	2636	cbc48e074f.exe	40
PID 2636 wrote to memory of 1688	2636	cbc48e074f.exe	40
PID 2636 wrote to memory of 1688	2636	cbc48e074f.exe	40
PID 2636 wrote to memory of 2052	2636	cbc48e074f.exe	42
PID 2636 wrote to memory of 2052	2636	cbc48e074f.exe	42
PID 2636 wrote to memory of 2052	2636	cbc48e074f.exe	42
PID 2636 wrote to memory of 2052	2636	cbc48e074f.exe	42
PID 2636 wrote to memory of 2344	2636	cbc48e074f.exe	44
PID 2636 wrote to memory of 2344	2636	cbc48e074f.exe	44
PID 2636 wrote to memory of 2344	2636	cbc48e074f.exe	44
PID 2636 wrote to memory of 2344	2636	cbc48e074f.exe	44
PID 2636 wrote to memory of 2172	2636	cbc48e074f.exe	46
PID 2636 wrote to memory of 2172	2636	cbc48e074f.exe	46
PID 2636 wrote to memory of 2172	2636	cbc48e074f.exe	46
PID 2636 wrote to memory of 2172	2636	cbc48e074f.exe	46
PID 2636 wrote to memory of 2892	2636	cbc48e074f.exe	48
PID 2636 wrote to memory of 2892	2636	cbc48e074f.exe	48
PID 2636 wrote to memory of 2892	2636	cbc48e074f.exe	48
PID 2636 wrote to memory of 2892	2636	cbc48e074f.exe	48
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2892 wrote to memory of 2952	2892	firefox.exe	49
PID 2952 wrote to memory of 2320	2952	firefox.exe	50
PID 2952 wrote to memory of 2320	2952	firefox.exe	50
PID 2952 wrote to memory of 2320	2952	firefox.exe	50
PID 2952 wrote to memory of 2372	2952	firefox.exe	51
PID 2952 wrote to memory of 2372	2952	firefox.exe	51
PID 2952 wrote to memory of 2372	2952	firefox.exe	51
PID 2952 wrote to memory of 2372	2952	firefox.exe	51
PID 2952 wrote to memory of 2372	2952	firefox.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\1013605001\3d8198b544.exe
    "C:\Users\Admin\AppData\Local\Temp\1013605001\3d8198b544.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:444
- - C:\Users\Admin\AppData\Local\Temp\1013606001\cfe3547a69.exe
    "C:\Users\Admin\AppData\Local\Temp\1013606001\cfe3547a69.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\1013607001\70190cef02.exe
    "C:\Users\Admin\AppData\Local\Temp\1013607001\70190cef02.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\1013608001\cbc48e074f.exe
    "C:\Users\Admin\AppData\Local\Temp\1013608001\cbc48e074f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2172
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.0.1323603872\1485120098" -parentBuildID 20221007134813 -prefsHandle 1160 -prefMapHandle 1096 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c53e55a-6b4a-4728-872d-79240e6953fa} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1304 ffd6b58 gpu
        6⤵
        
        PID:2320
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.1.611459488\847831372" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cff135b-59d9-4a0b-9757-bfd57bc649da} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1496 41eb558 socket
        6⤵
        
        PID:2372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.2.1218596943\568967603" -childID 1 -isForBrowser -prefsHandle 1996 -prefMapHandle 2012 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54fe08b7-4846-4a76-8086-264d5d40db33} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1988 180a4f58 tab
        6⤵
        
        PID:2396
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.3.1673305281\813748741" -childID 2 -isForBrowser -prefsHandle 2644 -prefMapHandle 2640 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0afc7e99-80ab-4f45-8e18-b66d43e76350} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 2656 1d391e58 tab
        6⤵
        
        PID:1124
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.4.1279849990\293506163" -childID 3 -isForBrowser -prefsHandle 3816 -prefMapHandle 3740 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56379c79-cc64-4612-bf5c-b2227626a4ac} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3828 211dce58 tab
        6⤵
        
        PID:2896
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.5.161299004\1848631116" -childID 4 -isForBrowser -prefsHandle 3940 -prefMapHandle 3944 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f284403-094f-4d39-92f2-4d09d9818502} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 3928 211db658 tab
        6⤵
        
        PID:2796
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.6.2075718518\52510967" -childID 5 -isForBrowser -prefsHandle 4108 -prefMapHandle 4112 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {caa7b563-96ae-4b2d-8bc3-ae9a4af7ecae} 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 4092 211dc258 tab
        6⤵
        
        PID:2124
- - C:\Users\Admin\AppData\Local\Temp\1013609001\c28f44e1bf.exe
    "C:\Users\Admin\AppData\Local\Temp\1013609001\c28f44e1bf.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion