purelogstealer | 92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe

Executes dropped EXE 19 IoCs

pid	Process
1344	sWsmPty.exe
4488	VC_redistx64.exe
1996	HpsrSpoof.exe
3484	Volumeid64.exe
3332	DevManView.exe
404	DevManView.exe
4264	DevManView.exe
3220	DevManView.exe
4312	DevManView.exe
3924	DevManView.exe
64	DevManView.exe
4528	DevManView.exe
1196	DevManView.exe
4092	DevManView.exe
4972	DevManView.exe
1884	DevManView.exe
828	DevManView.exe
1464	DevManView.exe
2260	DevManView.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe

Maps connected drives based on registry 3 TTPs 48 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	DevManView.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4488	VC_redistx64.exe
4488	VC_redistx64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SyncSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK	DevManView.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe
5028	SyncSpoofer.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	SyncSpoofer.exe
Token: SeBackupPrivilege	3332	DevManView.exe
Token: SeRestorePrivilege	3332	DevManView.exe
Token: SeTakeOwnershipPrivilege	3332	DevManView.exe
Token: SeBackupPrivilege	4264	DevManView.exe
Token: SeBackupPrivilege	404	DevManView.exe
Token: SeRestorePrivilege	4264	DevManView.exe
Token: SeRestorePrivilege	404	DevManView.exe
Token: SeTakeOwnershipPrivilege	4264	DevManView.exe
Token: SeTakeOwnershipPrivilege	404	DevManView.exe
Token: SeImpersonatePrivilege	4264	DevManView.exe
Token: SeImpersonatePrivilege	404	DevManView.exe
Token: SeBackupPrivilege	4312	DevManView.exe
Token: SeRestorePrivilege	4312	DevManView.exe
Token: SeTakeOwnershipPrivilege	4312	DevManView.exe
Token: SeBackupPrivilege	3924	DevManView.exe
Token: SeRestorePrivilege	3924	DevManView.exe
Token: SeTakeOwnershipPrivilege	3924	DevManView.exe
Token: SeBackupPrivilege	64	DevManView.exe
Token: SeRestorePrivilege	64	DevManView.exe
Token: SeTakeOwnershipPrivilege	64	DevManView.exe
Token: SeBackupPrivilege	4528	DevManView.exe
Token: SeRestorePrivilege	4528	DevManView.exe
Token: SeTakeOwnershipPrivilege	4528	DevManView.exe
Token: SeBackupPrivilege	3220	DevManView.exe
Token: SeRestorePrivilege	3220	DevManView.exe
Token: SeTakeOwnershipPrivilege	3220	DevManView.exe
Token: SeImpersonatePrivilege	4312	DevManView.exe
Token: SeBackupPrivilege	1196	DevManView.exe
Token: SeRestorePrivilege	1196	DevManView.exe
Token: SeTakeOwnershipPrivilege	1196	DevManView.exe
Token: SeBackupPrivilege	4972	DevManView.exe
Token: SeRestorePrivilege	4972	DevManView.exe
Token: SeTakeOwnershipPrivilege	4972	DevManView.exe
Token: SeBackupPrivilege	1884	DevManView.exe
Token: SeRestorePrivilege	1884	DevManView.exe
Token: SeTakeOwnershipPrivilege	1884	DevManView.exe
Token: SeBackupPrivilege	4092	DevManView.exe
Token: SeRestorePrivilege	4092	DevManView.exe
Token: SeTakeOwnershipPrivilege	4092	DevManView.exe
Token: SeBackupPrivilege	1464	DevManView.exe
Token: SeRestorePrivilege	1464	DevManView.exe
Token: SeTakeOwnershipPrivilege	1464	DevManView.exe
Token: SeBackupPrivilege	2260	DevManView.exe
Token: SeRestorePrivilege	2260	DevManView.exe
Token: SeTakeOwnershipPrivilege	2260	DevManView.exe
Token: SeBackupPrivilege	828	DevManView.exe
Token: SeRestorePrivilege	828	DevManView.exe
Token: SeTakeOwnershipPrivilege	828	DevManView.exe
Token: SeImpersonatePrivilege	3924	DevManView.exe
Token: SeImpersonatePrivilege	64	DevManView.exe
Token: SeImpersonatePrivilege	1196	DevManView.exe
Token: SeImpersonatePrivilege	3332	DevManView.exe
Token: SeImpersonatePrivilege	4972	DevManView.exe
Token: SeImpersonatePrivilege	3220	DevManView.exe
Token: SeImpersonatePrivilege	4092	DevManView.exe
Token: SeImpersonatePrivilege	1884	DevManView.exe
Token: SeImpersonatePrivilege	4528	DevManView.exe
Token: SeImpersonatePrivilege	1464	DevManView.exe
Token: SeImpersonatePrivilege	828	DevManView.exe
Token: SeImpersonatePrivilege	2260	DevManView.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4488	VC_redistx64.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1344	5028	SyncSpoofer.exe	74
PID 5028 wrote to memory of 1344	5028	SyncSpoofer.exe	74
PID 5028 wrote to memory of 4488	5028	SyncSpoofer.exe	75
PID 5028 wrote to memory of 4488	5028	SyncSpoofer.exe	75
PID 5028 wrote to memory of 4488	5028	SyncSpoofer.exe	75
PID 5028 wrote to memory of 1996	5028	SyncSpoofer.exe	76
PID 5028 wrote to memory of 1996	5028	SyncSpoofer.exe	76
PID 1996 wrote to memory of 5036	1996	HpsrSpoof.exe	78
PID 1996 wrote to memory of 5036	1996	HpsrSpoof.exe	78
PID 5036 wrote to memory of 3484	5036	cmd.exe	80
PID 5036 wrote to memory of 3484	5036	cmd.exe	80
PID 1996 wrote to memory of 1860	1996	HpsrSpoof.exe	81
PID 1996 wrote to memory of 1860	1996	HpsrSpoof.exe	81
PID 1860 wrote to memory of 3332	1860	cmd.exe	83
PID 1860 wrote to memory of 3332	1860	cmd.exe	83
PID 1860 wrote to memory of 404	1860	cmd.exe	84
PID 1860 wrote to memory of 404	1860	cmd.exe	84
PID 1860 wrote to memory of 4264	1860	cmd.exe	85
PID 1860 wrote to memory of 4264	1860	cmd.exe	85
PID 1860 wrote to memory of 3220	1860	cmd.exe	86
PID 1860 wrote to memory of 3220	1860	cmd.exe	86
PID 1860 wrote to memory of 4312	1860	cmd.exe	87
PID 1860 wrote to memory of 4312	1860	cmd.exe	87
PID 1860 wrote to memory of 3924	1860	cmd.exe	88
PID 1860 wrote to memory of 3924	1860	cmd.exe	88
PID 1860 wrote to memory of 64	1860	cmd.exe	89
PID 1860 wrote to memory of 64	1860	cmd.exe	89
PID 1860 wrote to memory of 4528	1860	cmd.exe	90
PID 1860 wrote to memory of 4528	1860	cmd.exe	90
PID 1860 wrote to memory of 1196	1860	cmd.exe	91
PID 1860 wrote to memory of 1196	1860	cmd.exe	91
PID 1860 wrote to memory of 4972	1860	cmd.exe	92
PID 1860 wrote to memory of 4972	1860	cmd.exe	92
PID 1860 wrote to memory of 4092	1860	cmd.exe	93
PID 1860 wrote to memory of 4092	1860	cmd.exe	93
PID 1860 wrote to memory of 1884	1860	cmd.exe	94
PID 1860 wrote to memory of 1884	1860	cmd.exe	94
PID 1860 wrote to memory of 828	1860	cmd.exe	95
PID 1860 wrote to memory of 828	1860	cmd.exe	95
PID 1860 wrote to memory of 1464	1860	cmd.exe	96
PID 1860 wrote to memory of 1464	1860	cmd.exe	96
PID 1860 wrote to memory of 2260	1860	cmd.exe	97
PID 1860 wrote to memory of 2260	1860	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Roaming\sWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\sWsmPty.exe"
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4488
- C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
  "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G39Z-J904
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: G39Z-J904
      4⤵
      Executes dropped EXE
      PID:3484
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:3332
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:4264
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:3220
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:4312
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:3924
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:64
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:4972
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:4092
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:828
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:4964
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 15670HP-TRGT14593AB
      4⤵
      PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:2888
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 215674HP-TRGT25342RV
      4⤵
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:4496
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 815674HP-TRGT25342SG
      4⤵
      PID:196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:3608
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:4060
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 515674HP-TRGT25342SL
      4⤵
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:4448
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 415674HP-TRGT25342FA
      4⤵
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:3864
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 615674HP-TRGT25342FU
      4⤵
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:3780
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 315674HP-TRGT25342DQ
      4⤵
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:1512
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 715674HP-TRGT25342MST
      4⤵
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:4276
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:2100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:4904
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 15693HP-TRGT24296AB
      4⤵
      PID:2740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:2108
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 215693HP-TRGT24296RV
      4⤵
      PID:4992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:4988
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 815693HP-TRGT24296SG
      4⤵
      PID:1708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:2024
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:4156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:3324
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 515693HP-TRGT24296SL
      4⤵
      PID:4492
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:5000
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 415693HP-TRGT24296FA
      4⤵
      PID:1296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:2236
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 615693HP-TRGT24296FU
      4⤵
      PID:780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:4564
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 315693HP-TRGT24296DQ
      4⤵
      PID:3480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:4940
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 715693HP-TRGT24296MST
      4⤵
      PID:3496
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:812
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:3928
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 15710HP-TRGT12502AB
      4⤵
      PID:3612
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:3924
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 215710HP-TRGT12502RV
      4⤵
      PID:3980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:4972
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 815710HP-TRGT12502SG
      4⤵
      PID:1480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:4092
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      PID:4536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:5012
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 515710HP-TRGT12502SL
      4⤵
      PID:208
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:2288
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 415710HP-TRGT12502FA
      4⤵
      PID:4276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:3852
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 615710HP-TRGT12502FU
      4⤵
      PID:4480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:4220
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 315710HP-TRGT12502DQ
      4⤵
      PID:4240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:1920
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 715710HP-TRGT12502MST
      4⤵
      PID:5056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:3236
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      PID:4192
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: T031-MIAT
    3⤵
    PID:1232
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: T031-MIAT
      4⤵
      PID:2800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: J882-44AP
    3⤵
    PID:2156
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: J882-44AP
      4⤵
      PID:2948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: CTNV-GTES
    3⤵
    PID:4152
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: CTNV-GTES
      4⤵
      PID:1692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: KV6C-MI7K
    3⤵
    PID:4844
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: KV6C-MI7K
      4⤵
      PID:3136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 8IST-87AE
    3⤵
    PID:1224
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: 8IST-87AE
      4⤵
      PID:1988
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 3EZU-9BRF
    3⤵
    PID:1660
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 3EZU-9BRF
      4⤵
      PID:2148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: KLDK-9C5D
    3⤵
    PID:5060
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: KLDK-9C5D
      4⤵
      PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery