buran | ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E286.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E286.exe

Deletes itself 1 IoCs

pid	Process
2536	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
492	E5C4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000400000001ab53-119.dat	themida
behavioral1/files/0x000400000001ab53-120.dat	themida
behavioral1/memory/3036-134-0x00000000001C0000-0x00000000001C1000-memory.dmp	themida

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\E4B9.exe = "0"	E4B9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	E4B9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	E4B9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	E4B9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	E4B9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	E4B9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	E4B9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	E4B9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	E4B9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	E4B9.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	E7E8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	E7E8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E286.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E4B9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	E4B9.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3036	E286.exe
3968	EEA0.exe
3968	EEA0.exe
3968	EEA0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 740 set thread context of 508	740	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe	77
PID 3552 set thread context of 1096	3552	E4B9.exe	102

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\purmesh.jpg	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ec_16x11.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-250.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Sand.dxt	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SmallLogo.scale-150.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_comment_18.svg	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Square44x44Logo.targetsize-48.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sj_16x11.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo1.targetsize-54.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailMediumTile.scale-150.png	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-ul-oob.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchSmallTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-150.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-30_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-96.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-200_contrast-black.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Kiss.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30.png	explorer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar.payfast.234-2AB-B98	explorer.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\WideLogo.scale-200.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\CalculatorApp.winmd	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\MedTile.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe.payfast.234-2AB-B98	explorer.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\WideTile.scale-125.png	explorer.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul-oob.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Office\Group.scale-100.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_12h.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\et_60x42.png	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-RTL.gif	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-16.png	explorer.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml.payfast.234-2AB-B98	explorer.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\logo.png	explorer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
4144	492	WerFault.exe	82
4324	492	WerFault.exe	82
4448	492	WerFault.exe	82
4532	492	WerFault.exe	82
4628	492	WerFault.exe	82
4872	492	WerFault.exe	82
4968	492	WerFault.exe	82
576	492	WerFault.exe	82
4380	492	WerFault.exe	82
4740	492	WerFault.exe	82
4860	492	WerFault.exe	82
5048	492	WerFault.exe	82
2256	492	WerFault.exe	82
4320	492	WerFault.exe	82

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3868	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	E7E8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	E7E8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
508	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe
508	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2536	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
508	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found
2536	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeDebugPrivilege	740	AdvancedRun.exe
Token: SeImpersonatePrivilege	740	AdvancedRun.exe
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeDebugPrivilege	580	AdvancedRun.exe
Token: SeImpersonatePrivilege	580	AdvancedRun.exe
Token: SeDebugPrivilege	3552	E4B9.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3968	EEA0.exe
Token: SeDebugPrivilege	3036	E286.exe
Token: SeRestorePrivilege	4144	WerFault.exe
Token: SeBackupPrivilege	4144	WerFault.exe
Token: SeBackupPrivilege	4144	WerFault.exe
Token: SeDebugPrivilege	4144	WerFault.exe
Token: SeDebugPrivilege	4324	WerFault.exe
Token: SeDebugPrivilege	4448	WerFault.exe
Token: SeDebugPrivilege	4532	WerFault.exe
Token: SeDebugPrivilege	1096	cvtres.exe
Token: SeDebugPrivilege	4628	WerFault.exe
Token: SeDebugPrivilege	4872	WerFault.exe
Token: SeDebugPrivilege	4968	WerFault.exe
Token: SeDebugPrivilege	576	WerFault.exe
Token: SeDebugPrivilege	4380	WerFault.exe
Token: SeDebugPrivilege	4740	WerFault.exe
Token: SeDebugPrivilege	4860	explorer.exe
Token: SeDebugPrivilege	5048	WerFault.exe
Token: SeDebugPrivilege	2256	WerFault.exe
Token: SeDebugPrivilege	4320	WerFault.exe
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found
Token: SeCreatePagefilePrivilege	2536	Process not Found
Token: SeShutdownPrivilege	2536	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3968	EEA0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2536	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 508	740	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe	77
PID 740 wrote to memory of 508	740	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe	77
PID 740 wrote to memory of 508	740	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe	77
PID 740 wrote to memory of 508	740	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe	77
PID 740 wrote to memory of 508	740	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe	77
PID 740 wrote to memory of 508	740	ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe	77
PID 2536 wrote to memory of 3036	2536	Process not Found	79
PID 2536 wrote to memory of 3036	2536	Process not Found	79
PID 2536 wrote to memory of 3036	2536	Process not Found	79
PID 2536 wrote to memory of 3552	2536	Process not Found	81
PID 2536 wrote to memory of 3552	2536	Process not Found	81
PID 2536 wrote to memory of 3552	2536	Process not Found	81
PID 2536 wrote to memory of 492	2536	Process not Found	82
PID 2536 wrote to memory of 492	2536	Process not Found	82
PID 2536 wrote to memory of 492	2536	Process not Found	82
PID 2536 wrote to memory of 1328	2536	Process not Found	83
PID 2536 wrote to memory of 1328	2536	Process not Found	83
PID 2536 wrote to memory of 1328	2536	Process not Found	83
PID 2536 wrote to memory of 3968	2536	Process not Found	84
PID 2536 wrote to memory of 3968	2536	Process not Found	84
PID 2536 wrote to memory of 3968	2536	Process not Found	84
PID 2536 wrote to memory of 2172	2536	Process not Found	86
PID 2536 wrote to memory of 2172	2536	Process not Found	86
PID 2536 wrote to memory of 2172	2536	Process not Found	86
PID 2536 wrote to memory of 2172	2536	Process not Found	86
PID 3552 wrote to memory of 740	3552	E4B9.exe	87
PID 3552 wrote to memory of 740	3552	E4B9.exe	87
PID 3552 wrote to memory of 740	3552	E4B9.exe	87
PID 740 wrote to memory of 580	740	AdvancedRun.exe	88
PID 740 wrote to memory of 580	740	AdvancedRun.exe	88
PID 740 wrote to memory of 580	740	AdvancedRun.exe	88
PID 2536 wrote to memory of 2580	2536	Process not Found	89
PID 2536 wrote to memory of 2580	2536	Process not Found	89
PID 2536 wrote to memory of 2580	2536	Process not Found	89
PID 2536 wrote to memory of 3700	2536	Process not Found	91
PID 2536 wrote to memory of 3700	2536	Process not Found	91
PID 2536 wrote to memory of 3700	2536	Process not Found	91
PID 2536 wrote to memory of 3700	2536	Process not Found	91
PID 2536 wrote to memory of 3504	2536	Process not Found	92
PID 2536 wrote to memory of 3504	2536	Process not Found	92
PID 2536 wrote to memory of 3504	2536	Process not Found	92
PID 1328 wrote to memory of 2208	1328	E7E8.exe	93
PID 1328 wrote to memory of 2208	1328	E7E8.exe	93
PID 1328 wrote to memory of 2208	1328	E7E8.exe	93
PID 2536 wrote to memory of 2060	2536	Process not Found	94
PID 2536 wrote to memory of 2060	2536	Process not Found	94
PID 2536 wrote to memory of 2060	2536	Process not Found	94
PID 2536 wrote to memory of 2060	2536	Process not Found	94
PID 3552 wrote to memory of 3836	3552	E4B9.exe	95
PID 3552 wrote to memory of 3836	3552	E4B9.exe	95
PID 3552 wrote to memory of 3836	3552	E4B9.exe	95
PID 3552 wrote to memory of 188	3552	E4B9.exe	97
PID 3552 wrote to memory of 188	3552	E4B9.exe	97
PID 3552 wrote to memory of 188	3552	E4B9.exe	97
PID 3552 wrote to memory of 4000	3552	E4B9.exe	99
PID 3552 wrote to memory of 4000	3552	E4B9.exe	99
PID 3552 wrote to memory of 4000	3552	E4B9.exe	99
PID 3552 wrote to memory of 1980	3552	E4B9.exe	104
PID 3552 wrote to memory of 1980	3552	E4B9.exe	104
PID 3552 wrote to memory of 1980	3552	E4B9.exe	104
PID 2536 wrote to memory of 2192	2536	Process not Found	103
PID 2536 wrote to memory of 2192	2536	Process not Found	103
PID 2536 wrote to memory of 2192	2536	Process not Found	103
PID 3552 wrote to memory of 3184	3552	E4B9.exe	100

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	E4B9.exe

C:\Users\Admin\AppData\Local\Temp\ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe
"C:\Users\Admin\AppData\Local\Temp\ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe
  "C:\Users\Admin\AppData\Local\Temp\ca034743682ddf97a8c0f1e502eaa45249d0e8abe789b1169d7460499a1f7ad9.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:508

C:\Users\Admin\AppData\Local\Temp\E286.exe
C:\Users\Admin\AppData\Local\Temp\E286.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Users\Admin\AppData\Local\Temp\E4B9.exe
C:\Users\Admin\AppData\Local\Temp\E4B9.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3552
- C:\Users\Admin\AppData\Local\Temp\55d30bcd-ebef-4151-9830-dfa18e35b976\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\55d30bcd-ebef-4151-9830-dfa18e35b976\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\55d30bcd-ebef-4151-9830-dfa18e35b976\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\55d30bcd-ebef-4151-9830-dfa18e35b976\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\55d30bcd-ebef-4151-9830-dfa18e35b976\AdvancedRun.exe" /SpecialRun 4101d8 740
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E4B9.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\E4B9.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  PID:4000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
  2⤵
  PID:3184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
  2⤵
  PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  2⤵
  PID:1980

C:\Users\Admin\AppData\Local\Temp\E5C4.exe
C:\Users\Admin\AppData\Local\Temp\E5C4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 736
  2⤵
  - Drops file in Windows directory
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 748
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 848
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 884
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1180
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1216
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1160
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1232
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1272
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1272
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1224
  2⤵
  - Program crash
  PID:4860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1252
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1212
  2⤵
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 1136
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Suspicious use of AdjustPrivilegeToken
  PID:4320

C:\Users\Admin\AppData\Local\Temp\E7E8.exe
C:\Users\Admin\AppData\Local\Temp\E7E8.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:1824
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:4124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:4960
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3868
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4860

C:\Users\Admin\AppData\Local\Temp\EEA0.exe
C:\Users\Admin\AppData\Local\Temp\EEA0.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2172

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2580

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3700

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2192

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2580

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery