buran | 30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270

System Information Discovery

Processes:

7776.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7776.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7776.exe

Deletes itself 1 IoCs

Processes:

pid	Process
3052

Loads dropped DLL 1 IoCs

Processes:

1E09.exe

pid	Process
2680	1E09.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000200000001ab53-136.dat	themida
behavioral1/files/0x000200000001ab53-137.dat	themida
behavioral1/memory/1308-151-0x0000000001390000-0x0000000001391000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

78AF.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	78AF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	78AF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	78AF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	78AF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	78AF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	78AF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	78AF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	78AF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\78AF.exe = "0"	78AF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	78AF.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

7DA3.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	7DA3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\csrss.exe\" -start"	7DA3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

78AF.exe7776.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	78AF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	78AF.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7776.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

csrss.exe

description	ioc	Process
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\F:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
31	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

7776.exe83BE.exe

pid	Process
1308	7776.exe
1812	83BE.exe
1812	83BE.exe
1812	83BE.exe
1812	83BE.exe

Suspicious use of SetThreadContext 26 IoCs

Processes:

30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe7264.exe78AF.exe

description	pid	Process	procid_target
PID 636 set thread context of 3520	636	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe	77
PID 2892 set thread context of 3084	2892	7264.exe	102
PID 2892 set thread context of 4060	2892	7264.exe	110
PID 3640 set thread context of 1868	3640	78AF.exe	119
PID 2892 set thread context of 4124	2892	7264.exe	122
PID 2892 set thread context of 4512	2892	7264.exe	124
PID 2892 set thread context of 4824	2892	7264.exe	128
PID 2892 set thread context of 5044	2892	7264.exe	129
PID 2892 set thread context of 4464	2892	7264.exe	131
PID 2892 set thread context of 3984	2892	7264.exe	133
PID 2892 set thread context of 2304	2892	7264.exe	149
PID 2892 set thread context of 2400	2892	7264.exe	151
PID 2892 set thread context of 4724	2892	7264.exe	153
PID 2892 set thread context of 5016	2892	7264.exe	154
PID 2892 set thread context of 1680	2892	7264.exe	155
PID 2892 set thread context of 5064	2892	7264.exe	156
PID 2892 set thread context of 4244	2892	7264.exe	157
PID 2892 set thread context of 3864	2892	7264.exe	158
PID 2892 set thread context of 4504	2892	7264.exe	159
PID 2892 set thread context of 4796	2892	7264.exe	162
PID 2892 set thread context of 8	2892	7264.exe	164
PID 2892 set thread context of 4444	2892	7264.exe	165
PID 2892 set thread context of 4460	2892	7264.exe	166
PID 2892 set thread context of 4668	2892	7264.exe	167
PID 2892 set thread context of 4260	2892	7264.exe	168
PID 2892 set thread context of 4880	2892	7264.exe	169

Drops file in Program Files directory 64 IoCs

Processes:

csrss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-oob.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-awt.xml	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\resources.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jni_md.h	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSB.TTF.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	csrss.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\tzmappings	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\TraceInitialize.asf.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\ConfirmGet.png	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.payfast.797-5DF-F38	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms	csrss.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.payfast.797-5DF-F38	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1928	2680	WerFault.exe	80
3264	2680	WerFault.exe	80
3680	2680	WerFault.exe	80
2256	2680	WerFault.exe	80
4032	2680	WerFault.exe	80
2356	2680	WerFault.exe	80
504	2680	WerFault.exe	80
772	2680	WerFault.exe	80
3404	2680	WerFault.exe	80
3980	2680	WerFault.exe	80
3952	2680	WerFault.exe	80
4068	2680	WerFault.exe	80
368	2680	WerFault.exe	80
2676	2680	WerFault.exe	80
4836	3984	WerFault.exe	133

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
1432	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

7DA3.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	7DA3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	7DA3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe

pid	Process
3520	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe
3520	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
3052

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe

pid	Process
3520	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeAdvancedRun.exeAdvancedRun.exe78AF.exepowershell.exepowershell.exe7776.exe83BE.exengentask.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeRestorePrivilege	1928	WerFault.exe
Token: SeBackupPrivilege	1928	WerFault.exe
Token: SeDebugPrivilege	1928	WerFault.exe
Token: SeDebugPrivilege	3264	WerFault.exe
Token: SeDebugPrivilege	3680	WerFault.exe
Token: SeDebugPrivilege	2256	WerFault.exe
Token: SeDebugPrivilege	2356	WerFault.exe
Token: SeDebugPrivilege	504	WerFault.exe
Token: SeDebugPrivilege	772	WerFault.exe
Token: SeDebugPrivilege	3404	WerFault.exe
Token: SeDebugPrivilege	3980	WerFault.exe
Token: SeDebugPrivilege	3952	WerFault.exe
Token: SeDebugPrivilege	4068	WerFault.exe
Token: SeDebugPrivilege	368	WerFault.exe
Token: SeDebugPrivilege	2676	WerFault.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	3036	AdvancedRun.exe
Token: SeImpersonatePrivilege	3036	AdvancedRun.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	3032	AdvancedRun.exe
Token: SeImpersonatePrivilege	3032	AdvancedRun.exe
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeDebugPrivilege	3640	78AF.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1308	7776.exe
Token: SeDebugPrivilege	1812	83BE.exe
Token: SeDebugPrivilege	1868	ngentask.exe
Token: SeIncreaseQuotaPrivilege	4212	WMIC.exe
Token: SeSecurityPrivilege	4212	WMIC.exe
Token: SeTakeOwnershipPrivilege	4212	WMIC.exe
Token: SeLoadDriverPrivilege	4212	WMIC.exe
Token: SeSystemProfilePrivilege	4212	WMIC.exe
Token: SeSystemtimePrivilege	4212	WMIC.exe
Token: SeProfSingleProcessPrivilege	4212	WMIC.exe
Token: SeIncBasePriorityPrivilege	4212	WMIC.exe
Token: SeCreatePagefilePrivilege	4212	WMIC.exe
Token: SeBackupPrivilege	4212	WMIC.exe
Token: SeRestorePrivilege	4212	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1CEF.exe83BE.exe

pid	Process
1420	1CEF.exe
1812	83BE.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3052

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe7264.exe78AF.exeAdvancedRun.exe

description	pid	Process	procid_target
PID 636 wrote to memory of 3520	636	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe	77
PID 636 wrote to memory of 3520	636	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe	77
PID 636 wrote to memory of 3520	636	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe	77
PID 636 wrote to memory of 3520	636	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe	77
PID 636 wrote to memory of 3520	636	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe	77
PID 636 wrote to memory of 3520	636	30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe	77
PID 3052 wrote to memory of 1420	3052		79
PID 3052 wrote to memory of 1420	3052		79
PID 3052 wrote to memory of 1420	3052		79
PID 3052 wrote to memory of 2680	3052		80
PID 3052 wrote to memory of 2680	3052		80
PID 3052 wrote to memory of 2680	3052		80
PID 3052 wrote to memory of 2892	3052		96
PID 3052 wrote to memory of 2892	3052		96
PID 3052 wrote to memory of 2892	3052		96
PID 3052 wrote to memory of 1308	3052		98
PID 3052 wrote to memory of 1308	3052		98
PID 3052 wrote to memory of 1308	3052		98
PID 3052 wrote to memory of 3640	3052		100
PID 3052 wrote to memory of 3640	3052		100
PID 3052 wrote to memory of 3640	3052		100
PID 3052 wrote to memory of 3696	3052		101
PID 3052 wrote to memory of 3696	3052		101
PID 3052 wrote to memory of 3696	3052		101
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 3052 wrote to memory of 4032	3052		103
PID 3052 wrote to memory of 4032	3052		103
PID 3052 wrote to memory of 4032	3052		103
PID 3640 wrote to memory of 3036	3640	78AF.exe	104
PID 3640 wrote to memory of 3036	3640	78AF.exe	104
PID 3640 wrote to memory of 3036	3640	78AF.exe	104
PID 3036 wrote to memory of 3032	3036	AdvancedRun.exe	105
PID 3036 wrote to memory of 3032	3036	AdvancedRun.exe	105
PID 3036 wrote to memory of 3032	3036	AdvancedRun.exe	105
PID 3052 wrote to memory of 1812	3052		106
PID 3052 wrote to memory of 1812	3052		106
PID 3052 wrote to memory of 1812	3052		106
PID 3052 wrote to memory of 3896	3052		109
PID 3052 wrote to memory of 3896	3052		109
PID 3052 wrote to memory of 3896	3052		109
PID 3052 wrote to memory of 3896	3052		109
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 2892 wrote to memory of 3084	2892	7264.exe	102
PID 2892 wrote to memory of 4060	2892	7264.exe	110
PID 2892 wrote to memory of 4060	2892	7264.exe	110
PID 2892 wrote to memory of 4060	2892	7264.exe	110
PID 3052 wrote to memory of 1248	3052		114
PID 3052 wrote to memory of 1248	3052		114
PID 3052 wrote to memory of 1248	3052		114
PID 3052 wrote to memory of 2132	3052		112
PID 3052 wrote to memory of 2132	3052		112
PID 3052 wrote to memory of 2132	3052		112
PID 3052 wrote to memory of 2132	3052		112
PID 3640 wrote to memory of 2320	3640	78AF.exe	113
PID 3640 wrote to memory of 2320	3640	78AF.exe	113
PID 3640 wrote to memory of 2320	3640	78AF.exe	113
PID 3640 wrote to memory of 1248	3640	78AF.exe	114
PID 3640 wrote to memory of 1248	3640	78AF.exe	114
PID 3640 wrote to memory of 1248	3640	78AF.exe	114

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

78AF.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	78AF.exe

C:\Users\Admin\AppData\Local\Temp\30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe
"C:\Users\Admin\AppData\Local\Temp\30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe
  "C:\Users\Admin\AppData\Local\Temp\30ac2fcde9afc55cd21098f4c8140019dbd200ae3d602b917b727678dc50b270.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3520

C:\Users\Admin\AppData\Local\Temp\1CEF.exe
C:\Users\Admin\AppData\Local\Temp\1CEF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Users\Admin\AppData\Local\Temp\1E09.exe
C:\Users\Admin\AppData\Local\Temp\1E09.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 736
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 836
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 872
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1188
  2⤵
  - Program crash
  PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1204
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1248
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1160
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1320
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1288
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1212
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1276
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1228
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1292
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

C:\Users\Admin\AppData\Local\Temp\7264.exe
C:\Users\Admin\AppData\Local\Temp\7264.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 24
    3⤵
    - Program crash
    PID:4836
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:188
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Users\Admin\AppData\Local\Temp\7264.exe
  C:\Users\Admin\AppData\Local\Temp\7264.exe
  2⤵
  PID:3952

C:\Users\Admin\AppData\Local\Temp\7776.exe
C:\Users\Admin\AppData\Local\Temp\7776.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Users\Admin\AppData\Local\Temp\78AF.exe
C:\Users\Admin\AppData\Local\Temp\78AF.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3640
- C:\Users\Admin\AppData\Local\Temp\50b72d01-63ee-4444-9f13-d69f8d3c7c19\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\50b72d01-63ee-4444-9f13-d69f8d3c7c19\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\50b72d01-63ee-4444-9f13-d69f8d3c7c19\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\50b72d01-63ee-4444-9f13-d69f8d3c7c19\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\50b72d01-63ee-4444-9f13-d69f8d3c7c19\AdvancedRun.exe" /SpecialRun 4101d8 3036
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\78AF.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\78AF.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868

C:\Users\Admin\AppData\Local\Temp\7A47.exe
C:\Users\Admin\AppData\Local\Temp\7A47.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\Temp\7DA3.exe
C:\Users\Admin\AppData\Local\Temp\7DA3.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
PID:4032
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -start
  2⤵
  - Enumerates connected drives
  PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4840
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1432
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe" -agent 0
    3⤵
    - Drops file in Program Files directory
    PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4712

C:\Users\Admin\AppData\Local\Temp\83BE.exe
C:\Users\Admin\AppData\Local\Temp\83BE.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3896

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1248

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2132

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4252

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4496

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery