3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe

Resubmissions

10/04/2024, 10:26

240410-mgws3sfd41 8

Analysis

max time kernel
99s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Size

419KB
MD5

7d20fa01a703afa8907e50417d27b0a4
SHA1

320116162d78afb8e00fd972591479a899d3dfee
SHA256

3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe
SHA512

0dcebe2598e6ccb51f0609831c93071421049eb924f83871e95c5a280af0d2e76630dfc47c5a2780eb18d55ee9690d6c83aabd8f1043cc2cdc21d9fe5425b892
SSDEEP

3072:Ga1HoUY9aEnRUx4DZLQHkRduVhiHm5Pz6GaYtxcpKnyWOtq:GwYznRC4DpduVnxzsYtxWWOtq

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\ja-JP\pacer.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\UMDF\fr-FR\idtsec.dll.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\clfs.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\UcmTcpciCx.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\rfxvmt.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\fr-FR\volmgr.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\iaStorAVC.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\watchdog.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\dmvsc.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\rfxvmt.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\tdx.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\usbport.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\vms3cap.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\volsnap.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\en-US\mouclass.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\vhdmp.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\hdaudbus.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\MbbCx.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\USBSTOR.SYS	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\kbldfltr.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ndfltr.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\rasacd.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\UMDF\en-US\wpdmtpdr.dll.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\amdxata.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\dumpsdport.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\MegaSas2i.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\BTHUSB.SYS.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\SDFRd.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\serial.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\hidbth.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\winnat.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\en-US\mssmbios.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\adp80xx.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\cht4dx64.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\HyperVideo.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\ntfs.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\fltmgr.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\mspqm.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\mssmbios.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\EhStorTcgDrv.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\lsi_sas2i.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\moqebs8rvm83fq.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\bttflt.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\pcmcia.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\hidbth.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\modem.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\winnat.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\it-IT\parport.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\UMDF\de-DE\SensorsCx.dll.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\de-DE\NdisImPlatform.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\mountmgr.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\es-ES\wof.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\tcpip.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\hidi2c.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\qwavedrv.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\tm.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\en-US\luafv.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\en-US\ndis.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\PktMon.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\usbcir.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\wimmount.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\ja-JP\storqosflt.sys.mui	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system32\drivers\serenum.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\My Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Accessories\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\Camera Roll\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\My Documents\My Videos\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Local\History\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\My Documents\My Music\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Documents\My Videos\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3045580317-3728985860-206385570-1000\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Accessibility\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Administrative Tools\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Recent\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\StartUp\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Documents\My Music\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\Saved Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Maintenance\Desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\My Documents\My Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Documents\My Music\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Documents\My Videos\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Desktop\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Documents\My Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\My Documents\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\SendTo\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Start Menu\Programs\Accessories\System Tools\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\My Documents\My Pictures\Camera Roll\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Documents\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Documents\My Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Documents\My Music\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\ProgramData\Documents\My Videos\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normnfd.nlp	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pad0e0718#\4c01b83715593dfea330357f18075ea2\Microsoft.PowerShell.Cmdletization.OData.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\981b8642758ae60742542a145db9e64b\System.Net.Http.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\notepad.exe	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\0ab6364a0211b746d41492b243bdfdfb\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\WMSysPr9.prx	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\802109be4d2ce39859ded54bbe541811\Microsoft.WindowsSearch.Commands.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\e7dd774251db1abf49179f2d4e109684\EventViewer.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\687a0140ccc03a6ccf55dc3b9cb08148\Microsoft.PowerShell.Security.Activities.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\35e71ddd80b7908e1a8311173ffd6ff1\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\085cda9eebdee4ba67ebbcfb4dfa8c85\PresentationFramework.Aero2.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\cc60c54c3dde798a43317ec502c0ca47\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\apppatch\sysmain.sdb	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4a9323e1e332fcc6d5128407fd3404f3\System.Core.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\20b221b2aa56b5604f519dcf81704999\System.Xml.Linq.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c5fa38bfe4dcc7609a932de565e0902d\Microsoft.KeyDistributionService.Cmdlets.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\28965f332c6eb08558a6f5eb76540d9f\Microsoft.PowerShell.Utility.Activities.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\addins\FXSEXT.ecf	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\6de9117021f804bd643639bb684ffe6f\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\9761aa02e459394769888f74d97b844c\Microsoft.InternationalSettings.Commands.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\setupact.log	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\62d027db4e48b2e35ce8272c55ed780e\MMCEx.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\c4a96325490751c8606894bbe3306589\PresentationCore.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\f615f628433cab34a98f99334931a2a3\SrpUxSnapIn.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\586ed23cb27e69e90eee6d49206356b8\Accessibility.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\903ffecbd077dc9907c3618278188386\Microsoft.GroupPolicy.Interop.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\setuperr.log	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\SysmonDrv.sys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\7153ef0bfdd1efd38882e46b46b7745a\Microsoft.ApplicationId.Framework.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\a0c4e776b9d01dd5fe5da7fd2edd1f6f\System.Xaml.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\20b221b2aa56b5604f519dcf81704999\System.Xml.Linq.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\3ef04b2ab7a69aa8d90d3a62538479e4\Microsoft.PowerShell.ConsoleHost.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\mib.bin	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\e973d5bd29c030458489be8e83909001\Microsoft.PowerShell.Diagnostics.Activities.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W79a81d80#\3baadacb9af97508e821559b2b24c448\Microsoft.Windows.Diagnosis.Commands.WriteDiagTelemetry.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\PublisherPolicy.tme	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\c4a96325490751c8606894bbe3306589\PresentationCore.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\ace0ccf90f3ff2439a125417206b62ff\Microsoft.ApplicationId.RuleWizard.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\903ffecbd077dc9907c3618278188386\Microsoft.GroupPolicy.Interop.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\73c6ae4303a31ae701dd97dcdda2523d\Microsoft.WSMan.Management.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\410cb32fbed28bfc3ce04df7c4f70c33\Microsoft.Management.Infrastructure.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\e340d15b0577ba6f1e950be4a75c873a\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6\System.Configuration.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\c9081834712b521d8ae96ab1c004cb82\WindowsBase.ni.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\f11cacda118fe5e85f977a5cbe9b8646\Microsoft.Management.Infrastructure.CimCmdlets.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\2997d4b330208b9b0dad2875b7e0d82a\Microsoft.PowerShell.GPowerShell.ni.dll.aux	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\appcompat\Programs\Amcache.hve.LOG1	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\apppatch\drvmain.sdb	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
File opened for modification	C:\Windows\system.ini	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Checks SCSI registry key(s) 3 TTPs 52 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Modifies Control Panel 60 IoCs

evasion

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\GlobalPowerPolicy	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\SlateLaunch	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000104	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\PowerPolicies\0	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\PowerPolicies	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Quick Actions	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000012	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Personalization	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\PowerPolicies\2	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\On	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\MuiCached	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\Keyboard Response	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Mouse	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000200	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\User Profile\en-US	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\SoundSentry	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\ToggleKeys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\User Profile	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\Keyboard Preference	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000202	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Sound	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000203	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\User Profile System Backup	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\PowerPolicies\1	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Quick Actions\Pinned	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\TimeOut	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000072	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\MouseKeys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Appearance\Schemes	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\PowerPolicies\3	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000070	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000071	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Bluetooth	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Colors	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\WindowMetrics	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Keyboard	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\PowerPolicies\5	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\Blind Access	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\HighContrast	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000201	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\StickyKeys	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Appearance\New Schemes	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Personalization\Desktop Slideshow	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg\PowerPolicies\4	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\PowerCfg	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Appearance	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\User Profile System Backup\en-US	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Bluetooth\FileSquirtInstalled	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000011	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method\Hot Keys\00000010	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Input Method	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\ShowSounds	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Cursors	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Accessibility\AudioDescription	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Colors	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1704	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1704	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Token: SeBackupPrivilege	1704	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Token: SeRestorePrivilege	1704	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Token: SeShutdownPrivilege	1704	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
Token: SeDebugPrivilege	1704	3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe

C:\Users\Admin\AppData\Local\Temp\3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe
"C:\Users\Admin\AppData\Local\Temp\3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe.exe"
1⤵
- Drops file in Drivers directory
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
55f41c694994ad16af502a973b394321

SHA1
afbc5327d3bf11dc0c5b10ed2830c86061846fa4

SHA256
1dbe3ea172a960421ded4894bb5873096352e4b1c590a896121b72efea9a7be1

SHA512
ec9321d5c64cf7a8940c4485f098cb5172d354b228fdc8767c19ea87b41974419d1ebd4d0e78779600b3ab1cd5d526542796033385dbaf421b5e8c68861185ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\20RAD7Y0\Windows[2].json

Filesize
620B

MD5
01b53ab60d1307f1db2f793377d3af08

SHA1
aead0b1b398828d1bb81e91a52f28e504d717e1c

SHA256
b5afda9531d50eca02d7e10dd6a5e5a9346ef452f1aea17049b4acf84be62641

SHA512
ee7663533aae47cae26d9605f045b9165ed9ba387789a09db6e4bd0d76ca08aaee685d5299a8ec40ee086123f4e3ab766a793d9199c639d18d56d87c37cc8f6d

Download Submit
memory/1704-0-0x0000000000CE0000-0x0000000000D4E000-memory.dmp

Filesize
440KB

Download
memory/1704-1-0x00007FF809F70000-0x00007FF80AA31000-memory.dmp

Filesize
10.8MB

Download
memory/1704-2-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/1704-3-0x00007FF809F70000-0x00007FF80AA31000-memory.dmp

Filesize
10.8MB

Download
memory/1704-4-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

Filesize
64KB

Download
memory/1704-91-0x000000001C1F0000-0x000000001C266000-memory.dmp

Filesize
472KB

Download