stealc | 24d5a4217ca7cbac8b0d33663c7eac767c0248ed2e83c42ac242fd7b9007d42f

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VC_redistx64.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VC_redistx64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VC_redistx64.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe

Executes dropped EXE 64 IoCs

pid	Process
2520	sWsmPty.exe
2264	VC_redistx64.exe
1444	HpsrSpoof.exe
2684	Volumeid64.exe
1200	Process not Found
272	DevManView.exe
1716	DevManView.exe
1648	DevManView.exe
1392	DevManView.exe
1856	DevManView.exe
1708	DevManView.exe
1968	DevManView.exe
1800	DevManView.exe
1852	DevManView.exe
1300	DevManView.exe
1296	DevManView.exe
1276	DevManView.exe
1884	DevManView.exe
2384	DevManView.exe
1320	DevManView.exe
2480	AMIDEWINx64.exe
2936	AMIDEWINx64.exe
960	AMIDEWINx64.exe
2152	AMIDEWINx64.exe
2904	AMIDEWINx64.exe
1344	AMIDEWINx64.exe
2104	AMIDEWINx64.exe
2320	AMIDEWINx64.exe
2016	AMIDEWINx64.exe
1636	AMIDEWINx64.exe
2108	AMIDEWINx64.exe
768	AMIDEWINx64.exe
2052	AMIDEWINx64.exe
1748	AMIDEWINx64.exe
2692	AMIDEWINx64.exe
2424	AMIDEWINx64.exe
2188	AMIDEWINx64.exe
1644	AMIDEWINx64.exe
344	AMIDEWINx64.exe
1740	AMIDEWINx64.exe
2728	AMIDEWINx64.exe
1676	AMIDEWINx64.exe
1256	AMIDEWINx64.exe
1036	AMIDEWINx64.exe
1316	AMIDEWINx64.exe
1288	AMIDEWINx64.exe
1708	AMIDEWINx64.exe
2092	AMIDEWINx64.exe
1968	AMIDEWINx64.exe
2704	AMIDEWINx64.exe
2672	Volumeid64.exe
2312	Volumeid64.exe
2936	Volumeid64.exe
2208	Volumeid64.exe
1408	Volumeid64.exe
1592	Volumeid64.exe
2000	Volumeid64.exe
1292	Volumeid64.exe
1320	Volumeid64.exe
1536	Volumeid64.exe
2280	Volumeid64.exe
804	Volumeid64.exe
884	Volumeid64.exe
1060	Volumeid64.exe

Loads dropped DLL 7 IoCs

pid	Process
2380	SyncSpoofer.exe
2608	cmd.exe
1480	cmd.exe
2472	cmd.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2264-21-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral1/files/0x0008000000016d42-19.dat	themida
behavioral1/memory/2264-25-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral1/memory/2264-26-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral1/memory/2264-77-0x0000000000400000-0x0000000000B78000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VC_redistx64.exe

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 30 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2264	VC_redistx64.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	DevManView.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
600	2520	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sWsmPty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Checks SCSI registry key(s) 3 TTPs 60 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sWsmPty.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sWsmPty.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2264	VC_redistx64.exe
272	DevManView.exe
1648	DevManView.exe
1392	DevManView.exe
1856	DevManView.exe
1708	DevManView.exe
2384	DevManView.exe
1320	DevManView.exe
1716	DevManView.exe
1800	DevManView.exe
1968	DevManView.exe
1852	DevManView.exe
1300	DevManView.exe
1296	DevManView.exe
1276	DevManView.exe
1884	DevManView.exe
2520	sWsmPty.exe

Suspicious behavior: LoadsDriver 19 IoCs

pid	Process
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	272	DevManView.exe
Token: SeRestorePrivilege	272	DevManView.exe
Token: SeTakeOwnershipPrivilege	272	DevManView.exe
Token: SeImpersonatePrivilege	272	DevManView.exe
Token: SeBackupPrivilege	1648	DevManView.exe
Token: SeBackupPrivilege	1392	DevManView.exe
Token: SeBackupPrivilege	1856	DevManView.exe
Token: SeBackupPrivilege	1708	DevManView.exe
Token: SeRestorePrivilege	1648	DevManView.exe
Token: SeRestorePrivilege	1392	DevManView.exe
Token: SeRestorePrivilege	1856	DevManView.exe
Token: SeRestorePrivilege	1708	DevManView.exe
Token: SeTakeOwnershipPrivilege	1648	DevManView.exe
Token: SeTakeOwnershipPrivilege	1392	DevManView.exe
Token: SeTakeOwnershipPrivilege	1856	DevManView.exe
Token: SeTakeOwnershipPrivilege	1708	DevManView.exe
Token: SeImpersonatePrivilege	1648	DevManView.exe
Token: SeImpersonatePrivilege	1392	DevManView.exe
Token: SeImpersonatePrivilege	1856	DevManView.exe
Token: SeImpersonatePrivilege	1708	DevManView.exe
Token: SeBackupPrivilege	2384	DevManView.exe
Token: SeRestorePrivilege	2384	DevManView.exe
Token: SeTakeOwnershipPrivilege	2384	DevManView.exe
Token: SeImpersonatePrivilege	2384	DevManView.exe
Token: SeBackupPrivilege	1320	DevManView.exe
Token: SeRestorePrivilege	1320	DevManView.exe
Token: SeTakeOwnershipPrivilege	1320	DevManView.exe
Token: SeImpersonatePrivilege	1320	DevManView.exe
Token: SeBackupPrivilege	1716	DevManView.exe
Token: SeRestorePrivilege	1716	DevManView.exe
Token: SeTakeOwnershipPrivilege	1716	DevManView.exe
Token: SeImpersonatePrivilege	1716	DevManView.exe
Token: SeBackupPrivilege	1800	DevManView.exe
Token: SeRestorePrivilege	1800	DevManView.exe
Token: SeTakeOwnershipPrivilege	1800	DevManView.exe
Token: SeImpersonatePrivilege	1800	DevManView.exe
Token: SeBackupPrivilege	1968	DevManView.exe
Token: SeRestorePrivilege	1968	DevManView.exe
Token: SeTakeOwnershipPrivilege	1968	DevManView.exe
Token: SeImpersonatePrivilege	1968	DevManView.exe
Token: SeBackupPrivilege	1852	DevManView.exe
Token: SeRestorePrivilege	1852	DevManView.exe
Token: SeTakeOwnershipPrivilege	1852	DevManView.exe
Token: SeImpersonatePrivilege	1852	DevManView.exe
Token: SeBackupPrivilege	1300	DevManView.exe
Token: SeRestorePrivilege	1300	DevManView.exe
Token: SeTakeOwnershipPrivilege	1300	DevManView.exe
Token: SeImpersonatePrivilege	1300	DevManView.exe
Token: SeBackupPrivilege	1296	DevManView.exe
Token: SeRestorePrivilege	1296	DevManView.exe
Token: SeTakeOwnershipPrivilege	1296	DevManView.exe
Token: SeImpersonatePrivilege	1296	DevManView.exe
Token: SeBackupPrivilege	1276	DevManView.exe
Token: SeRestorePrivilege	1276	DevManView.exe
Token: SeTakeOwnershipPrivilege	1276	DevManView.exe
Token: SeImpersonatePrivilege	1276	DevManView.exe
Token: SeBackupPrivilege	1884	DevManView.exe
Token: SeRestorePrivilege	1884	DevManView.exe
Token: SeTakeOwnershipPrivilege	1884	DevManView.exe
Token: SeImpersonatePrivilege	1884	DevManView.exe
Token: SeLoadDriverPrivilege	272	DevManView.exe
Token: SeLoadDriverPrivilege	1320	DevManView.exe
Token: SeLoadDriverPrivilege	1276	DevManView.exe
Token: SeLoadDriverPrivilege	1320	DevManView.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2520	2380	SyncSpoofer.exe	31
PID 2380 wrote to memory of 2520	2380	SyncSpoofer.exe	31
PID 2380 wrote to memory of 2520	2380	SyncSpoofer.exe	31
PID 2380 wrote to memory of 2520	2380	SyncSpoofer.exe	31
PID 2380 wrote to memory of 2264	2380	SyncSpoofer.exe	32
PID 2380 wrote to memory of 2264	2380	SyncSpoofer.exe	32
PID 2380 wrote to memory of 2264	2380	SyncSpoofer.exe	32
PID 2380 wrote to memory of 2264	2380	SyncSpoofer.exe	32
PID 2380 wrote to memory of 1444	2380	SyncSpoofer.exe	33
PID 2380 wrote to memory of 1444	2380	SyncSpoofer.exe	33
PID 2380 wrote to memory of 1444	2380	SyncSpoofer.exe	33
PID 1444 wrote to memory of 2608	1444	HpsrSpoof.exe	35
PID 1444 wrote to memory of 2608	1444	HpsrSpoof.exe	35
PID 1444 wrote to memory of 2608	1444	HpsrSpoof.exe	35
PID 2608 wrote to memory of 2684	2608	cmd.exe	37
PID 2608 wrote to memory of 2684	2608	cmd.exe	37
PID 2608 wrote to memory of 2684	2608	cmd.exe	37
PID 1444 wrote to memory of 1480	1444	HpsrSpoof.exe	39
PID 1444 wrote to memory of 1480	1444	HpsrSpoof.exe	39
PID 1444 wrote to memory of 1480	1444	HpsrSpoof.exe	39
PID 1480 wrote to memory of 272	1480	cmd.exe	41
PID 1480 wrote to memory of 272	1480	cmd.exe	41
PID 1480 wrote to memory of 272	1480	cmd.exe	41
PID 1480 wrote to memory of 1648	1480	cmd.exe	42
PID 1480 wrote to memory of 1648	1480	cmd.exe	42
PID 1480 wrote to memory of 1648	1480	cmd.exe	42
PID 1480 wrote to memory of 1716	1480	cmd.exe	43
PID 1480 wrote to memory of 1716	1480	cmd.exe	43
PID 1480 wrote to memory of 1716	1480	cmd.exe	43
PID 1480 wrote to memory of 1392	1480	cmd.exe	44
PID 1480 wrote to memory of 1392	1480	cmd.exe	44
PID 1480 wrote to memory of 1392	1480	cmd.exe	44
PID 1480 wrote to memory of 1968	1480	cmd.exe	45
PID 1480 wrote to memory of 1968	1480	cmd.exe	45
PID 1480 wrote to memory of 1968	1480	cmd.exe	45
PID 1480 wrote to memory of 1856	1480	cmd.exe	46
PID 1480 wrote to memory of 1856	1480	cmd.exe	46
PID 1480 wrote to memory of 1856	1480	cmd.exe	46
PID 1480 wrote to memory of 1800	1480	cmd.exe	47
PID 1480 wrote to memory of 1800	1480	cmd.exe	47
PID 1480 wrote to memory of 1800	1480	cmd.exe	47
PID 1480 wrote to memory of 1708	1480	cmd.exe	48
PID 1480 wrote to memory of 1708	1480	cmd.exe	48
PID 1480 wrote to memory of 1708	1480	cmd.exe	48
PID 1480 wrote to memory of 1852	1480	cmd.exe	49
PID 1480 wrote to memory of 1852	1480	cmd.exe	49
PID 1480 wrote to memory of 1852	1480	cmd.exe	49
PID 1480 wrote to memory of 1884	1480	cmd.exe	50
PID 1480 wrote to memory of 1884	1480	cmd.exe	50
PID 1480 wrote to memory of 1884	1480	cmd.exe	50
PID 1480 wrote to memory of 1300	1480	cmd.exe	51
PID 1480 wrote to memory of 1300	1480	cmd.exe	51
PID 1480 wrote to memory of 1300	1480	cmd.exe	51
PID 1480 wrote to memory of 2384	1480	cmd.exe	52
PID 1480 wrote to memory of 2384	1480	cmd.exe	52
PID 1480 wrote to memory of 2384	1480	cmd.exe	52
PID 1480 wrote to memory of 1296	1480	cmd.exe	53
PID 1480 wrote to memory of 1296	1480	cmd.exe	53
PID 1480 wrote to memory of 1296	1480	cmd.exe	53
PID 1480 wrote to memory of 1320	1480	cmd.exe	54
PID 1480 wrote to memory of 1320	1480	cmd.exe	54
PID 1480 wrote to memory of 1320	1480	cmd.exe	54
PID 1480 wrote to memory of 1276	1480	cmd.exe	55
PID 1480 wrote to memory of 1276	1480	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Roaming\sWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\sWsmPty.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 884
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:600
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
  "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: GI62-O9B4
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: GI62-O9B4
      4⤵
      Executes dropped EXE
      PID:2684
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:272
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1392
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1300
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2384
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1320
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    - Loads dropped DLL
    PID:2472
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11510HP-TRGT23274AB
      4⤵
      Executes dropped EXE
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:2932
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211510HP-TRGT23274RV
      4⤵
      Executes dropped EXE
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:2224
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811510HP-TRGT23274SG
      4⤵
      Executes dropped EXE
      PID:960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:1080
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:1724
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511510HP-TRGT23274SL
      4⤵
      Executes dropped EXE
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:612
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411513HP-TRGT1254FA
      4⤵
      Executes dropped EXE
      PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:1196
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611513HP-TRGT1254FU
      4⤵
      Executes dropped EXE
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:2028
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311513HP-TRGT1254DQ
      4⤵
      Executes dropped EXE
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:2000
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711513HP-TRGT1254MST
      4⤵
      Executes dropped EXE
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:356
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:1636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:1632
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11529HP-TRGT22228AB
      4⤵
      Executes dropped EXE
      PID:2108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:2464
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211529HP-TRGT22228RV
      4⤵
      Executes dropped EXE
      PID:768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:1156
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811529HP-TRGT22228SG
      4⤵
      Executes dropped EXE
      PID:2052
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:2552
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:1748
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:600
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511529HP-TRGT22228SL
      4⤵
      Executes dropped EXE
      PID:2424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:2508
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411529HP-TRGT22228FA
      4⤵
      Executes dropped EXE
      PID:2692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:2440
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611529HP-TRGT22228FU
      4⤵
      Executes dropped EXE
      PID:1644
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:564
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311529HP-TRGT22228DQ
      4⤵
      Executes dropped EXE
      PID:2188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:1576
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711529HP-TRGT22228MST
      4⤵
      Executes dropped EXE
      PID:344
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:1704
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:1740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:2656
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11546HP-TRGT10434AB
      4⤵
      Executes dropped EXE
      PID:2728
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:3036
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211546HP-TRGT10434RV
      4⤵
      Executes dropped EXE
      PID:1676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:2748
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811546HP-TRGT10434SG
      4⤵
      Executes dropped EXE
      PID:1256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:2284
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:1036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:1808
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511546HP-TRGT10434SL
      4⤵
      Executes dropped EXE
      PID:1288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:1764
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411546HP-TRGT10434FA
      4⤵
      Executes dropped EXE
      PID:1316
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:2368
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611546HP-TRGT10434FU
      4⤵
      Executes dropped EXE
      PID:1708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:2844
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311546HP-TRGT10434DQ
      4⤵
      Executes dropped EXE
      PID:2092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:1300
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711546HP-TRGT10434MST
      4⤵
      Executes dropped EXE
      PID:1968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:2676
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:2704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 3BH7-MLGV
    3⤵
    PID:3056
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 3BH7-MLGV
      4⤵
      Executes dropped EXE
      PID:2672
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: DVTU-3KOV
    3⤵
    PID:2192
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: DVTU-3KOV
      4⤵
      Executes dropped EXE
      PID:2312
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 7NGV-SH7F
    3⤵
    PID:2480
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 7NGV-SH7F
      4⤵
      Executes dropped EXE
      PID:2936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 6MS4-STV1
    3⤵
    PID:960
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 6MS4-STV1
      4⤵
      Executes dropped EXE
      PID:2208
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: BLFN-KPI4
    3⤵
    PID:2232
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: BLFN-KPI4
      4⤵
      Executes dropped EXE
      PID:1408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: H2M5-ZZVR
    3⤵
    PID:1280
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: H2M5-ZZVR
      4⤵
      Executes dropped EXE
      PID:1592
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: E2DC-FCEZ
    3⤵
    PID:2028
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: E2DC-FCEZ
      4⤵
      Executes dropped EXE
      PID:2000
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: P548-HURT
    3⤵
    PID:1636
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: P548-HURT
      4⤵
      Executes dropped EXE
      PID:1292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: G4UK-786N
    3⤵
    PID:1248
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: G4UK-786N
      4⤵
      Executes dropped EXE
      PID:1320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: SF1D-3MP2
    3⤵
    PID:1028
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: SF1D-3MP2
      4⤵
      Executes dropped EXE
      PID:1536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 09DD-NM1Z
    3⤵
    PID:2652
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 09DD-NM1Z
      4⤵
      Executes dropped EXE
      PID:2280
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: S09R-451T
    3⤵
    PID:552
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: S09R-451T
      4⤵
      Executes dropped EXE
      PID:804
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 0Z00-AKPG
    3⤵
    PID:3012
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: 0Z00-AKPG
      4⤵
      Executes dropped EXE
      PID:884
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: IIUG-GHS0
    3⤵
    PID:1632
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: IIUG-GHS0
      4⤵
      Executes dropped EXE
      PID:1060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: T6CS-KSB8
    3⤵
    PID:2956
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: T6CS-KSB8
      4⤵
      PID:896
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: EJZS-4THR
    3⤵
    PID:716
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: EJZS-4THR
      4⤵
      PID:344
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 5A81-GNA5
    3⤵
    PID:2548
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 5A81-GNA5
      4⤵
      PID:2552
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 988G-378J
    3⤵
    PID:3032
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 988G-378J
      4⤵
      PID:1580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 0FB3-DH04
    3⤵
    PID:2576
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 0FB3-DH04
      4⤵
      PID:2516
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: KIU6-0HVG
    3⤵
    PID:2096
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: KIU6-0HVG
      4⤵
      PID:2688
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 7AVN-V29N
    3⤵
    PID:2416
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 7AVN-V29N
      4⤵
      PID:3040
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 1VK0-TKM9
    3⤵
    PID:1692
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 1VK0-TKM9
      4⤵
      PID:2580
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: SVM9-29AB
    3⤵
    PID:1676
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: SVM9-29AB
      4⤵
      PID:1816
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
    3⤵
    PID:3016
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
    3⤵
    PID:1952
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
    3⤵
    PID:1480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
    3⤵
    PID:2720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
    3⤵
    PID:1256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    3⤵
    PID:2816
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    PID:2160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1071802169421404681841957323-97499149816736064241594287287-84330737-1418839575"
1⤵
PID:2472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20768878132002407247729933073-1728424535835345264270184005-696546393422996410"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-114444260-1693906546-492528373-1359524320-247058113-1348423669848194111-1920129116"
1⤵
PID:356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1549784662393080097-11522271231133141979-1022699870-1907364157799937651860116760"
1⤵
PID:1156

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "725517741-1827710946-1206258432-126353503755112784211384249920927549-1305849333"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3272842821285305883-1634573877-20710430582052703340-927318300-1213300878124737789"
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery