a653745c5da2c86b3ad137d82c20eb3f23a07e229362c068f0b01071cb448d53

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	GameGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	GameGuard.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	GameGuard.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GameGuard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe

Blocks application from running via registry modification 27 IoCs

Adds application to list of disallowed applications.

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	GameGuard.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	GameGuard.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe"	GameGuard.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	GameGuard.exe

Modifies Windows Firewall 2 TTPs 7 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
3324	netsh.exe
180	netsh.exe
4116	netsh.exe
208	netsh.exe
3600	netsh.exe
4328	netsh.exe
1144	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GameGuard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GameGuard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe

Executes dropped EXE 2 IoCs

pid	Process
3056	GameGuard.exe
3252	update.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000001db1a-55.dat	themida
behavioral2/memory/3056-70-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-72-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-73-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-76-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-77-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-78-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-80-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-79-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3252-82-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	themida
behavioral2/memory/3252-81-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	themida
behavioral2/memory/3252-83-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	themida
behavioral2/memory/3252-84-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	themida
behavioral2/memory/3252-85-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	themida
behavioral2/memory/3252-86-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	themida
behavioral2/memory/3252-89-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	themida
behavioral2/memory/3056-88-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida
behavioral2/memory/3056-99-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GameGuard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	GameGuard.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	GameGuard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	GameGuard.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3056-73-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe
behavioral2/memory/3056-76-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe
behavioral2/memory/3056-77-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe
behavioral2/memory/3056-78-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe
behavioral2/memory/3056-80-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe
behavioral2/memory/3056-79-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe
behavioral2/memory/3252-82-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	autoit_exe
behavioral2/memory/3252-83-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	autoit_exe
behavioral2/memory/3252-84-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	autoit_exe
behavioral2/memory/3252-85-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	autoit_exe
behavioral2/memory/3252-86-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	autoit_exe
behavioral2/memory/3252-89-0x00007FF6FCBD0000-0x00007FF6FDBD0000-memory.dmp	autoit_exe
behavioral2/memory/3056-88-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe
behavioral2/memory/3056-99-0x00007FF64F780000-0x00007FF65098C000-memory.dmp	autoit_exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	GameGuard.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3056	GameGuard.exe
3252	update.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1756	sc.exe
3552	sc.exe
2388	sc.exe
2128	sc.exe
1732	sc.exe
4448	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data0.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1108	timeout.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2072	msedge.exe
2072	msedge.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3056	GameGuard.exe
3252	update.exe
3252	update.exe
3252	update.exe
3252	update.exe
3252	update.exe
3252	update.exe
3252	update.exe
3252	update.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3056	GameGuard.exe
3252	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4468	2136	msedge.exe	110
PID 2136 wrote to memory of 4468	2136	msedge.exe	110
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 1756	2136	msedge.exe	111
PID 2136 wrote to memory of 2072	2136	msedge.exe	112
PID 2136 wrote to memory of 2072	2136	msedge.exe	112
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113
PID 2136 wrote to memory of 3612	2136	msedge.exe	113

C:\Users\Admin\AppData\Local\Temp\data0.exe
"C:\Users\Admin\AppData\Local\Temp\data0.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4304
- C:\ProgramData\Setup\GameGuard.exe
  "C:\ProgramData\Setup\GameGuard.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modifies Windows Defender notification settings
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Blocks application from running via registry modification
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete swprv
    3⤵
    PID:2544
  - - C:\Windows\system32\sc.exe
      sc delete swprv
      4⤵
      Launches sc.exe
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop mbamservice
    3⤵
    PID:5036
  - - C:\Windows\system32\sc.exe
      sc stop mbamservice
      4⤵
      Launches sc.exe
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
    3⤵
    PID:4116
  - - C:\Windows\system32\sc.exe
      sc stop bytefenceservice
      4⤵
      Launches sc.exe
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
    3⤵
    PID:2288
  - - C:\Windows\system32\sc.exe
      sc delete bytefenceservice
      4⤵
      Launches sc.exe
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete mbamservice
    3⤵
    PID:2212
  - - C:\Windows\system32\sc.exe
      sc delete mbamservice
      4⤵
      Launches sc.exe
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete crmsvc
    3⤵
    PID:3308
  - - C:\Windows\system32\sc.exe
      sc delete crmsvc
      4⤵
      Launches sc.exe
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
    3⤵
    PID:3700
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    PID:4440
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    PID:2460
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    PID:2536
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    PID:4868
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    PID:3168
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    PID:1708
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c gpupdate /force
    3⤵
    PID:1564
  - - C:\Windows\system32\gpupdate.exe
      gpupdate /force
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Programdata\Install\Delete.bat
    3⤵
    PID:3700
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:1108
- C:\ProgramData\Setup\update.exe
  "C:\ProgramData\Setup\update.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault678d6541h8a92h4ab4ha8d1h60aa888b4d29
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd193046f8,0x7ffd19304708,0x7ffd19304718
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13210504260412751271,8006787076165813718,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,13210504260412751271,8006787076165813718,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,13210504260412751271,8006787076165813718,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:3612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry