Found references to [PowerShell commands, API hooking, or credential harvesting]. MITRE ATT&CK Mapping: T1059: Command and Scripting Interpreter. T1055: Process Injection. T1112: Modify Registry. 5. Remediation & Recommendations
Use a forensic reader to check for unauthorized password blobs or GMSA account abuse if the infection occurred in an Active Directory environment. Blob.Boy.rar
Add the hash of Boy.exe and the C2 domain to your Organization's EDR/Firewall . Found references to [PowerShell commands, API hooking, or
Connection attempts observed to [C2 Server IP/Domain] via port [Port Number] . Found references to [PowerShell commands