djvu | ec4bf6cfc55df437a044d2f779cfd3619ddc96d4c7c5cb6621f38e9e30ec1041

Virtualization/Sandbox Evasion

T1497

Processes:

Install.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Install.exe

Downloads MZ/PE file

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0006000000016d43-69.dat	upx
behavioral1/memory/2016-77-0x0000000008CC0000-0x0000000009AE5000-memory.dmp	upx
behavioral1/files/0x0006000000016d43-81.dat	upx
behavioral1/files/0x0006000000016d43-93.dat	upx
behavioral1/memory/1480-162-0x0000000001190000-0x0000000001FB5000-memory.dmp	upx
behavioral1/memory/1480-254-0x0000000001190000-0x0000000001FB5000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	Install.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
49588	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2016-55-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-56-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-57-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-58-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-59-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-60-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-62-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-63-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/memory/2016-64-0x0000000000860000-0x000000000141C000-memory.dmp	themida
behavioral1/files/0x0005000000019482-167.dat	themida
behavioral1/files/0x0005000000019482-148.dat	themida
behavioral1/memory/1616-176-0x0000000000FF0000-0x0000000001757000-memory.dmp	themida
behavioral1/memory/1616-195-0x0000000000FF0000-0x0000000001757000-memory.dmp	themida
behavioral1/memory/1616-196-0x0000000000FF0000-0x0000000001757000-memory.dmp	themida
behavioral1/memory/1616-198-0x0000000000FF0000-0x0000000001757000-memory.dmp	themida
behavioral1/memory/1616-199-0x0000000000FF0000-0x0000000001757000-memory.dmp	themida
behavioral1/memory/1616-231-0x0000000000FF0000-0x0000000001757000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	34.142.181.181

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

Install.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ipinfo.io
165	api.2ip.ua
168	api.2ip.ua
176	ipinfo.io
177	ipinfo.io
208	ipinfo.io
1	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

Install.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Install.exe

pid	Process
2016	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exe

pid	Process
50108	schtasks.exe
49808	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
49556	taskkill.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Install.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Install.exe

pid	Process
2016	Install.exe
2016	Install.exe

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2016
- C:\Users\Admin\Pictures\Minor Policy\xsQ_25J7X8rNrKf7F0W2jCxa.exe
  "C:\Users\Admin\Pictures\Minor Policy\xsQ_25J7X8rNrKf7F0W2jCxa.exe"
  2⤵
  PID:1480
- C:\Users\Admin\Pictures\Minor Policy\jOQU6HAkDZnNhMCj1eXeE7Ng.exe
  "C:\Users\Admin\Pictures\Minor Policy\jOQU6HAkDZnNhMCj1eXeE7Ng.exe"
  2⤵
  PID:1456
- C:\Users\Admin\Pictures\Minor Policy\5bqR6AfFsiNo8rtwAb6Kwr5B.exe
  "C:\Users\Admin\Pictures\Minor Policy\5bqR6AfFsiNo8rtwAb6Kwr5B.exe"
  2⤵
  PID:760
- - C:\Users\Admin\Pictures\Minor Policy\5bqR6AfFsiNo8rtwAb6Kwr5B.exe
    "C:\Users\Admin\Pictures\Minor Policy\5bqR6AfFsiNo8rtwAb6Kwr5B.exe"
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\2a51e2f3-6523-4995-8f72-00de1379e4bb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:49588
  - - C:\Users\Admin\Pictures\Minor Policy\5bqR6AfFsiNo8rtwAb6Kwr5B.exe
      "C:\Users\Admin\Pictures\Minor Policy\5bqR6AfFsiNo8rtwAb6Kwr5B.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:20328
- C:\Users\Admin\Pictures\Minor Policy\E8ETcNbIgfP0yj9K8vFq1HSN.exe
  "C:\Users\Admin\Pictures\Minor Policy\E8ETcNbIgfP0yj9K8vFq1HSN.exe"
  2⤵
  PID:1964
- C:\Users\Admin\Pictures\Minor Policy\wuKMkUj3KDas3cxW7Qwvz72h.exe
  "C:\Users\Admin\Pictures\Minor Policy\wuKMkUj3KDas3cxW7Qwvz72h.exe"
  2⤵
  PID:292
- - C:\Users\Admin\Pictures\Minor Policy\wuKMkUj3KDas3cxW7Qwvz72h.exe
    "C:\Users\Admin\Pictures\Minor Policy\wuKMkUj3KDas3cxW7Qwvz72h.exe"
    3⤵
    PID:49912
- C:\Users\Admin\Pictures\Minor Policy\zI5GGZVdqR_mPjDWBhgUFj0R.exe
  "C:\Users\Admin\Pictures\Minor Policy\zI5GGZVdqR_mPjDWBhgUFj0R.exe"
  2⤵
  PID:2000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    3⤵
    PID:19528
- C:\Users\Admin\Pictures\Minor Policy\ANgIUdqqpXqX9HY7TWTVt7F2.exe
  "C:\Users\Admin\Pictures\Minor Policy\ANgIUdqqpXqX9HY7TWTVt7F2.exe"
  2⤵
  PID:1800
- C:\Users\Admin\Pictures\Minor Policy\iElJBCtj2ISkw8sULqoWpc3y.exe
  "C:\Users\Admin\Pictures\Minor Policy\iElJBCtj2ISkw8sULqoWpc3y.exe"
  2⤵
  PID:1496
- - C:\Users\Admin\Documents\sXPqGPL4FpOiFnVO4ojZTB85.exe
    "C:\Users\Admin\Documents\sXPqGPL4FpOiFnVO4ojZTB85.exe"
    3⤵
    PID:49704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:50108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:49808
- C:\Users\Admin\Pictures\Minor Policy\FSc5K_yls6zTr_0g8hNAi4g3.exe
  "C:\Users\Admin\Pictures\Minor Policy\FSc5K_yls6zTr_0g8hNAi4g3.exe"
  2⤵
  PID:1580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:49360
- C:\Users\Admin\Pictures\Minor Policy\utZYSlUMKvftZwPgS2M0YnGQ.exe
  "C:\Users\Admin\Pictures\Minor Policy\utZYSlUMKvftZwPgS2M0YnGQ.exe"
  2⤵
  PID:704
- C:\Users\Admin\Pictures\Minor Policy\opCSjMRPrSvZICaLWIpUggx3.exe
  "C:\Users\Admin\Pictures\Minor Policy\opCSjMRPrSvZICaLWIpUggx3.exe"
  2⤵
  PID:756
- C:\Users\Admin\Pictures\Minor Policy\rbOqeil6EKIvayD1E7GrcL4J.exe
  "C:\Users\Admin\Pictures\Minor Policy\rbOqeil6EKIvayD1E7GrcL4J.exe"
  2⤵
  PID:1732
- C:\Users\Admin\Pictures\Minor Policy\3tVPrexHovuvXourMRDrdfUs.exe
  "C:\Users\Admin\Pictures\Minor Policy\3tVPrexHovuvXourMRDrdfUs.exe"
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "3tVPrexHovuvXourMRDrdfUs.exe" /f & erase "C:\Users\Admin\Pictures\Minor Policy\3tVPrexHovuvXourMRDrdfUs.exe" & exit
    3⤵
    PID:50036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "3tVPrexHovuvXourMRDrdfUs.exe" /f
      4⤵
      Kills process with taskkill
      PID:49556
- C:\Users\Admin\Pictures\Minor Policy\6DMYe5FPFwyx4wAnypdEb9re.exe
  "C:\Users\Admin\Pictures\Minor Policy\6DMYe5FPFwyx4wAnypdEb9re.exe"
  2⤵
  PID:988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:49980
- C:\Users\Admin\Pictures\Minor Policy\fy2IdQbWoT8CN91dmHBZIQK_.exe
  "C:\Users\Admin\Pictures\Minor Policy\fy2IdQbWoT8CN91dmHBZIQK_.exe"
  2⤵
  PID:1664
- C:\Users\Admin\Pictures\Minor Policy\_HMrX27wyb4B6daJ6hpDWNrE.exe
  "C:\Users\Admin\Pictures\Minor Policy\_HMrX27wyb4B6daJ6hpDWNrE.exe"
  2⤵
  PID:364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C setx DOTNET_ROOT C:\Users\Admin\AppData\Local\dotnet
    3⤵
    PID:2152
  - - C:\Windows\system32\setx.exe
      setx DOTNET_ROOT C:\Users\Admin\AppData\Local\dotnet
      4⤵
      PID:1996
- C:\Users\Admin\Pictures\Minor Policy\6dwmYJyFjUCgIkgRvjIoWwCt.exe
  "C:\Users\Admin\Pictures\Minor Policy\6dwmYJyFjUCgIkgRvjIoWwCt.exe"
  2⤵
  PID:1096
- - C:\Users\Admin\Pictures\Minor Policy\6dwmYJyFjUCgIkgRvjIoWwCt.exe
    "C:\Users\Admin\Pictures\Minor Policy\6dwmYJyFjUCgIkgRvjIoWwCt.exe" -h
    3⤵
    PID:50100
- C:\Users\Admin\Pictures\Minor Policy\Q5B5ENhe9SOf37D3Qdepqzt2.exe
  "C:\Users\Admin\Pictures\Minor Policy\Q5B5ENhe9SOf37D3Qdepqzt2.exe"
  2⤵
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
    3⤵
    PID:49500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
      4⤵
      PID:20184
- C:\Users\Admin\Pictures\Minor Policy\rgNprXUTdRxzv3DsKBz8eI99.exe
  "C:\Users\Admin\Pictures\Minor Policy\rgNprXUTdRxzv3DsKBz8eI99.exe"
  2⤵
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:47644

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:49612
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  PID:50016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WspService
1⤵
PID:19016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery