mimic | b88691f30a8387bcad3d54d8872558254fe781f173d22e16c3e45b6651153062

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conUpdate.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
1892	bcdedit.exe
1712	bcdedit.exe

Renames multiple (200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
2104	wbadmin.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
1164	wbadmin.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHost.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beserver.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CoreSync.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocomm.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Sysmon.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvlsvr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine_x86.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsnapvss.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxServerView.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutodeskDesktopApp.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fbserver.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tv_x64.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgrN.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Creative Cloud.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-opt.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\java.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBDBMgr.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xfssvccon.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\axlbridge.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mysqld-nt.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchApp.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ocautoupds.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\raw_agent_svc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RaccineElevatedCfg.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wdswfsafe.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW32.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bengien.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydesktopservice.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAgui.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sqbcoreservice.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Raccine.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ssms.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tomcat6.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\benetns.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dbsnmp.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fdlauncher.exe	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QBW64.exe	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\httpd.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oracle.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VeeamDeploymentSvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\encsvc.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SimplyConnectionManager.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeamViewer.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Windows\\System32\\Systray.exe"	conUpdate.exe

Deletes itself 1 IoCs

pid	Process
672	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
1888	7za.exe
2992	7za.exe
2676	pa4yg3aq2.exe
2928	conUpdate.exe
2260	conUpdate.exe
1724	conUpdate.exe
1092	conUpdate.exe
1900	Everything.exe
1104	Everything.exe

Loads dropped DLL 17 IoCs

pid	Process
2232	pa4yg3aq2.exe
2232	pa4yg3aq2.exe
2232	pa4yg3aq2.exe
2676	pa4yg3aq2.exe
2676	pa4yg3aq2.exe
2928	conUpdate.exe
2928	conUpdate.exe
2260	conUpdate.exe
2928	conUpdate.exe
1724	conUpdate.exe
2928	conUpdate.exe
1092	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pa4yg3aq2.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command	pa4yg3aq2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	pa4yg3aq2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	conUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command	conUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	conUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	pa4yg3aq2.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell	pa4yg3aq2.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open	pa4yg3aq2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	conUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conUpdate = "\"C:\\Users\\Admin\\AppData\\Local\\{D30E6601-C68C-38F9-FF44-7884977CF18D}\\conUpdate.exe\" "	pa4yg3aq2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conUpdate.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Everything.exe
File opened (read-only)	\??\U:	conUpdate.exe
File opened (read-only)	\??\X:	conUpdate.exe
File opened (read-only)	\??\O:	Everything.exe
File opened (read-only)	\??\B:	Everything.exe
File opened (read-only)	\??\Y:	conUpdate.exe
File opened (read-only)	\??\R:	Everything.exe
File opened (read-only)	\??\M:	Everything.exe
File opened (read-only)	\??\P:	Everything.exe
File opened (read-only)	\??\I:	Everything.exe
File opened (read-only)	\??\P:	conUpdate.exe
File opened (read-only)	\??\W:	conUpdate.exe
File opened (read-only)	\??\A:	Everything.exe
File opened (read-only)	\??\V:	Everything.exe
File opened (read-only)	\??\V:	Everything.exe
File opened (read-only)	\??\X:	Everything.exe
File opened (read-only)	\??\V:	conUpdate.exe
File opened (read-only)	\??\Z:	conUpdate.exe
File opened (read-only)	\??\G:	conUpdate.exe
File opened (read-only)	\??\L:	conUpdate.exe
File opened (read-only)	\??\H:	Everything.exe
File opened (read-only)	\??\G:	Everything.exe
File opened (read-only)	\??\P:	Everything.exe
File opened (read-only)	\??\M:	conUpdate.exe
File opened (read-only)	\??\R:	conUpdate.exe
File opened (read-only)	\??\E:	conUpdate.exe
File opened (read-only)	\??\H:	conUpdate.exe
File opened (read-only)	\??\T:	conUpdate.exe
File opened (read-only)	\??\J:	Everything.exe
File opened (read-only)	\??\A:	Everything.exe
File opened (read-only)	\??\E:	Everything.exe
File opened (read-only)	\??\R:	Everything.exe
File opened (read-only)	\??\U:	Everything.exe
File opened (read-only)	\??\T:	Everything.exe
File opened (read-only)	\??\I:	Everything.exe
File opened (read-only)	\??\K:	Everything.exe
File opened (read-only)	\??\K:	Everything.exe
File opened (read-only)	\??\O:	Everything.exe
File opened (read-only)	\??\Q:	Everything.exe
File opened (read-only)	\??\N:	conUpdate.exe
File opened (read-only)	\??\Y:	Everything.exe
File opened (read-only)	\??\K:	conUpdate.exe
File opened (read-only)	\??\S:	conUpdate.exe
File opened (read-only)	\??\Y:	Everything.exe
File opened (read-only)	\??\I:	conUpdate.exe
File opened (read-only)	\??\N:	Everything.exe
File opened (read-only)	\??\Q:	Everything.exe
File opened (read-only)	\??\W:	Everything.exe
File opened (read-only)	\??\A:	conUpdate.exe
File opened (read-only)	\??\B:	conUpdate.exe
File opened (read-only)	\??\O:	conUpdate.exe
File opened (read-only)	\??\B:	Everything.exe
File opened (read-only)	\??\M:	Everything.exe
File opened (read-only)	\??\N:	Everything.exe
File opened (read-only)	\??\J:	conUpdate.exe
File opened (read-only)	\??\Q:	conUpdate.exe
File opened (read-only)	\??\W:	Everything.exe
File opened (read-only)	\??\J:	Everything.exe
File opened (read-only)	\??\E:	Everything.exe
File opened (read-only)	\??\G:	Everything.exe
File opened (read-only)	\??\L:	Everything.exe
File opened (read-only)	\??\L:	Everything.exe
File opened (read-only)	\??\S:	Everything.exe
File opened (read-only)	\??\Z:	Everything.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	pa4yg3aq2.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open	conUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pa4yg3aq2	conUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command	pa4yg3aq2.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile	pa4yg3aq2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile	conUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	pa4yg3aq2.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell	pa4yg3aq2.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open	pa4yg3aq2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pa4yg3aq2\ = "mimicfile"	conUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\exefile\shell\open\command\ = "\"%1\" %*"	pa4yg3aq2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	conUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\mimicfile\shell\open\command	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell	conUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mimicfile\shell\open\command\ = "notepad.exe \"C:\\Users\\Admin\\AppData\\Local\\Instruction.txt\""	conUpdate.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1724	conUpdate.exe
1092	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2928	conUpdate.exe
2296	powershell.exe
2880	powershell.exe
1644	powershell.exe
2928	conUpdate.exe
2928	conUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1888	7za.exe
Token: 35	1888	7za.exe
Token: SeRestorePrivilege	2992	7za.exe
Token: 35	2992	7za.exe
Token: SeSecurityPrivilege	2992	7za.exe
Token: SeSecurityPrivilege	2992	7za.exe
Token: SeIncreaseQuotaPrivilege	2676	pa4yg3aq2.exe
Token: SeSecurityPrivilege	2676	pa4yg3aq2.exe
Token: SeTakeOwnershipPrivilege	2676	pa4yg3aq2.exe
Token: SeLoadDriverPrivilege	2676	pa4yg3aq2.exe
Token: SeSystemProfilePrivilege	2676	pa4yg3aq2.exe
Token: SeSystemtimePrivilege	2676	pa4yg3aq2.exe
Token: SeProfSingleProcessPrivilege	2676	pa4yg3aq2.exe
Token: SeIncBasePriorityPrivilege	2676	pa4yg3aq2.exe
Token: SeCreatePagefilePrivilege	2676	pa4yg3aq2.exe
Token: SeBackupPrivilege	2676	pa4yg3aq2.exe
Token: SeRestorePrivilege	2676	pa4yg3aq2.exe
Token: SeShutdownPrivilege	2676	pa4yg3aq2.exe
Token: SeDebugPrivilege	2676	pa4yg3aq2.exe
Token: SeSystemEnvironmentPrivilege	2676	pa4yg3aq2.exe
Token: SeChangeNotifyPrivilege	2676	pa4yg3aq2.exe
Token: SeRemoteShutdownPrivilege	2676	pa4yg3aq2.exe
Token: SeUndockPrivilege	2676	pa4yg3aq2.exe
Token: SeManageVolumePrivilege	2676	pa4yg3aq2.exe
Token: SeImpersonatePrivilege	2676	pa4yg3aq2.exe
Token: SeCreateGlobalPrivilege	2676	pa4yg3aq2.exe
Token: 33	2676	pa4yg3aq2.exe
Token: 34	2676	pa4yg3aq2.exe
Token: 35	2676	pa4yg3aq2.exe
Token: SeIncreaseQuotaPrivilege	2928	conUpdate.exe
Token: SeSecurityPrivilege	2928	conUpdate.exe
Token: SeTakeOwnershipPrivilege	2928	conUpdate.exe
Token: SeLoadDriverPrivilege	2928	conUpdate.exe
Token: SeSystemProfilePrivilege	2928	conUpdate.exe
Token: SeSystemtimePrivilege	2928	conUpdate.exe
Token: SeProfSingleProcessPrivilege	2928	conUpdate.exe
Token: SeIncBasePriorityPrivilege	2928	conUpdate.exe
Token: SeCreatePagefilePrivilege	2928	conUpdate.exe
Token: SeBackupPrivilege	2928	conUpdate.exe
Token: SeRestorePrivilege	2928	conUpdate.exe
Token: SeShutdownPrivilege	2928	conUpdate.exe
Token: SeDebugPrivilege	2928	conUpdate.exe
Token: SeSystemEnvironmentPrivilege	2928	conUpdate.exe
Token: SeChangeNotifyPrivilege	2928	conUpdate.exe
Token: SeRemoteShutdownPrivilege	2928	conUpdate.exe
Token: SeUndockPrivilege	2928	conUpdate.exe
Token: SeManageVolumePrivilege	2928	conUpdate.exe
Token: SeImpersonatePrivilege	2928	conUpdate.exe
Token: SeCreateGlobalPrivilege	2928	conUpdate.exe
Token: 33	2928	conUpdate.exe
Token: 34	2928	conUpdate.exe
Token: 35	2928	conUpdate.exe
Token: SeIncreaseQuotaPrivilege	2260	conUpdate.exe
Token: SeSecurityPrivilege	2260	conUpdate.exe
Token: SeTakeOwnershipPrivilege	2260	conUpdate.exe
Token: SeLoadDriverPrivilege	2260	conUpdate.exe
Token: SeSystemProfilePrivilege	2260	conUpdate.exe
Token: SeSystemtimePrivilege	2260	conUpdate.exe
Token: SeProfSingleProcessPrivilege	2260	conUpdate.exe
Token: SeIncBasePriorityPrivilege	2260	conUpdate.exe
Token: SeCreatePagefilePrivilege	2260	conUpdate.exe
Token: SeBackupPrivilege	2260	conUpdate.exe
Token: SeRestorePrivilege	2260	conUpdate.exe
Token: SeShutdownPrivilege	2260	conUpdate.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1900	Everything.exe
1104	Everything.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1888	2232	pa4yg3aq2.exe	28
PID 2232 wrote to memory of 1888	2232	pa4yg3aq2.exe	28
PID 2232 wrote to memory of 1888	2232	pa4yg3aq2.exe	28
PID 2232 wrote to memory of 1888	2232	pa4yg3aq2.exe	28
PID 2232 wrote to memory of 2992	2232	pa4yg3aq2.exe	30
PID 2232 wrote to memory of 2992	2232	pa4yg3aq2.exe	30
PID 2232 wrote to memory of 2992	2232	pa4yg3aq2.exe	30
PID 2232 wrote to memory of 2992	2232	pa4yg3aq2.exe	30
PID 2232 wrote to memory of 2676	2232	pa4yg3aq2.exe	32
PID 2232 wrote to memory of 2676	2232	pa4yg3aq2.exe	32
PID 2232 wrote to memory of 2676	2232	pa4yg3aq2.exe	32
PID 2232 wrote to memory of 2676	2232	pa4yg3aq2.exe	32
PID 2676 wrote to memory of 2928	2676	pa4yg3aq2.exe	33
PID 2676 wrote to memory of 2928	2676	pa4yg3aq2.exe	33
PID 2676 wrote to memory of 2928	2676	pa4yg3aq2.exe	33
PID 2676 wrote to memory of 2928	2676	pa4yg3aq2.exe	33
PID 2676 wrote to memory of 2928	2676	pa4yg3aq2.exe	33
PID 2676 wrote to memory of 2928	2676	pa4yg3aq2.exe	33
PID 2676 wrote to memory of 2928	2676	pa4yg3aq2.exe	33
PID 2928 wrote to memory of 2036	2928	conUpdate.exe	34
PID 2928 wrote to memory of 2036	2928	conUpdate.exe	34
PID 2928 wrote to memory of 2036	2928	conUpdate.exe	34
PID 2928 wrote to memory of 2036	2928	conUpdate.exe	34
PID 2928 wrote to memory of 2260	2928	conUpdate.exe	36
PID 2928 wrote to memory of 2260	2928	conUpdate.exe	36
PID 2928 wrote to memory of 2260	2928	conUpdate.exe	36
PID 2928 wrote to memory of 2260	2928	conUpdate.exe	36
PID 2928 wrote to memory of 2260	2928	conUpdate.exe	36
PID 2928 wrote to memory of 2260	2928	conUpdate.exe	36
PID 2928 wrote to memory of 2260	2928	conUpdate.exe	36
PID 2928 wrote to memory of 1724	2928	conUpdate.exe	37
PID 2928 wrote to memory of 1724	2928	conUpdate.exe	37
PID 2928 wrote to memory of 1724	2928	conUpdate.exe	37
PID 2928 wrote to memory of 1724	2928	conUpdate.exe	37
PID 2928 wrote to memory of 1724	2928	conUpdate.exe	37
PID 2928 wrote to memory of 1724	2928	conUpdate.exe	37
PID 2928 wrote to memory of 1724	2928	conUpdate.exe	37
PID 2928 wrote to memory of 1092	2928	conUpdate.exe	38
PID 2928 wrote to memory of 1092	2928	conUpdate.exe	38
PID 2928 wrote to memory of 1092	2928	conUpdate.exe	38
PID 2928 wrote to memory of 1092	2928	conUpdate.exe	38
PID 2928 wrote to memory of 1092	2928	conUpdate.exe	38
PID 2928 wrote to memory of 1092	2928	conUpdate.exe	38
PID 2928 wrote to memory of 1092	2928	conUpdate.exe	38
PID 2928 wrote to memory of 1900	2928	conUpdate.exe	39
PID 2928 wrote to memory of 1900	2928	conUpdate.exe	39
PID 2928 wrote to memory of 1900	2928	conUpdate.exe	39
PID 2928 wrote to memory of 1900	2928	conUpdate.exe	39
PID 2232 wrote to memory of 672	2232	pa4yg3aq2.exe	40
PID 2232 wrote to memory of 672	2232	pa4yg3aq2.exe	40
PID 2232 wrote to memory of 672	2232	pa4yg3aq2.exe	40
PID 2232 wrote to memory of 672	2232	pa4yg3aq2.exe	40
PID 2928 wrote to memory of 1480	2928	conUpdate.exe	42
PID 2928 wrote to memory of 1480	2928	conUpdate.exe	42
PID 2928 wrote to memory of 1480	2928	conUpdate.exe	42
PID 2928 wrote to memory of 1480	2928	conUpdate.exe	42
PID 2928 wrote to memory of 2116	2928	conUpdate.exe	43
PID 2928 wrote to memory of 2116	2928	conUpdate.exe	43
PID 2928 wrote to memory of 2116	2928	conUpdate.exe	43
PID 2928 wrote to memory of 2116	2928	conUpdate.exe	43
PID 2928 wrote to memory of 932	2928	conUpdate.exe	45
PID 2928 wrote to memory of 932	2928	conUpdate.exe	45
PID 2928 wrote to memory of 932	2928	conUpdate.exe	45
PID 2928 wrote to memory of 932	2928	conUpdate.exe	45

System policy modification 1 TTPs 11 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HidePowerOptions = "1"	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	conUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	conUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System	conUpdate.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\pa4yg3aq2.exe
"C:\Users\Admin\AppData\Local\Temp\pa4yg3aq2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" i
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7za.exe" x -y -p57795808188112786 Everything64.dll
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pa4yg3aq2.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pa4yg3aq2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe
    "C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe"
    3⤵
    - UAC bypass
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c DC.exe /D
      4⤵
      PID:2036
  - - C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe
      "C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe" -e watch -pid 2928 -!
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe
      "C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe" -e ul1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1724
  - - C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe
      "C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\conUpdate.exe" -e ul2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1092
  - - C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\Everything.exe
      "C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\Everything.exe" -startup
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious use of SetWindowsHookEx
      PID:1900
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -H off
      4⤵
      PID:1480
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:2116
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:932
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:928
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:1732
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:1664
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:548
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:2820
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:948
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
      4⤵
      PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass "Get-VM | Select-Object vmid | Get-VHD | %{Get-DiskImage -ImagePath $_.Path; Get-DiskImage -ImagePath $_.ParentPath} | Dismount-DiskImage"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass "Get-Volume | Get-DiskImage | Dismount-DiskImage"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass "Get-VM | Stop-VM"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2296
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -S e9a42b02-d5df-448d-aa00-03f14749eb61
      4⤵
      PID:2600
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:2268
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 96996bc0-ad50-47ec-923b-6f41874dd9eb 0
      4⤵
      PID:1164
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETDCVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 7648efa3-dd9c-4e3e-b566-50f929386280 0
      4⤵
      PID:1288
  - - C:\Windows\system32\powercfg.exe
      powercfg.exe -SETACVALUEINDEX e9a42b02-d5df-448d-aa00-03f14749eb61 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
      4⤵
      PID:1808
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1892
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1712
  - - C:\Windows\system32\wbadmin.exe
      wbadmin.exe DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      Drops file in Windows directory
      PID:2104
  - - C:\Windows\system32\wbadmin.exe
      wbadmin.exe delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1164
  - - C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\Everything.exe
      "C:\Users\Admin\AppData\Local\{D30E6601-C68C-38F9-FF44-7884977CF18D}\Everything.exe" -startup
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious use of SetWindowsHookEx
      PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:568

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1800

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery