stealc | 24d5a4217ca7cbac8b0d33663c7eac767c0248ed2e83c42ac242fd7b9007d42f

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VC_redistx64.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VC_redistx64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VC_redistx64.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SyncSpoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	HpsrSpoof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe

Executes dropped EXE 64 IoCs

pid	Process
3832	sWsmPty.exe
4100	VC_redistx64.exe
3384	HpsrSpoof.exe
1532	Volumeid64.exe
1196	DevManView.exe
3880	DevManView.exe
3796	DevManView.exe
4836	DevManView.exe
3192	DevManView.exe
2208	DevManView.exe
2920	DevManView.exe
5112	DevManView.exe
5100	DevManView.exe
3288	DevManView.exe
888	DevManView.exe
2280	DevManView.exe
3760	DevManView.exe
3196	DevManView.exe
1348	DevManView.exe
1252	AMIDEWINx64.exe
4992	AMIDEWINx64.exe
4072	AMIDEWINx64.exe
4176	AMIDEWINx64.exe
4360	AMIDEWINx64.exe
3888	AMIDEWINx64.exe
2316	AMIDEWINx64.exe
3636	AMIDEWINx64.exe
2284	AMIDEWINx64.exe
4724	AMIDEWINx64.exe
4012	AMIDEWINx64.exe
2940	AMIDEWINx64.exe
3312	AMIDEWINx64.exe
3236	AMIDEWINx64.exe
1532	AMIDEWINx64.exe
4520	AMIDEWINx64.exe
2192	AMIDEWINx64.exe
2140	AMIDEWINx64.exe
4664	AMIDEWINx64.exe
3288	AMIDEWINx64.exe
3028	AMIDEWINx64.exe
1916	AMIDEWINx64.exe
1288	AMIDEWINx64.exe
4456	AMIDEWINx64.exe
2444	AMIDEWINx64.exe
800	AMIDEWINx64.exe
4764	AMIDEWINx64.exe
3636	AMIDEWINx64.exe
1340	AMIDEWINx64.exe
2468	AMIDEWINx64.exe
1740	Volumeid64.exe
4224	Volumeid64.exe
456	Volumeid64.exe
4480	Volumeid64.exe
2156	Volumeid64.exe
3156	Volumeid64.exe
976	Volumeid64.exe
1912	Volumeid64.exe
3764	Volumeid64.exe
4992	Volumeid64.exe
3936	Volumeid64.exe
4296	Volumeid64.exe
3268	Volumeid64.exe
3260	Volumeid64.exe
64	Volumeid64.exe

Loads dropped DLL 2 IoCs

pid	Process
3832	sWsmPty.exe
3832	sWsmPty.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0009000000023c7b-19.dat	themida
behavioral2/memory/4100-31-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/4100-35-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/4100-36-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/4100-136-0x0000000000400000-0x0000000000B78000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VC_redistx64.exe

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4100	VC_redistx64.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sWsmPty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGuid	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	DevManView.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	DevManView.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sWsmPty.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sWsmPty.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4100	VC_redistx64.exe
4100	VC_redistx64.exe
3832	sWsmPty.exe
3832	sWsmPty.exe
2208	DevManView.exe
2208	DevManView.exe
3192	DevManView.exe
3192	DevManView.exe
5100	DevManView.exe
5100	DevManView.exe
3880	DevManView.exe
3880	DevManView.exe
3796	DevManView.exe
3796	DevManView.exe
1196	DevManView.exe
1196	DevManView.exe
4836	DevManView.exe
4836	DevManView.exe
3760	DevManView.exe
3760	DevManView.exe
2280	DevManView.exe
2280	DevManView.exe
3288	DevManView.exe
3288	DevManView.exe
5112	DevManView.exe
5112	DevManView.exe
2920	DevManView.exe
2920	DevManView.exe
3196	DevManView.exe
3196	DevManView.exe
888	DevManView.exe
888	DevManView.exe
1348	DevManView.exe
1348	DevManView.exe
3832	sWsmPty.exe
3832	sWsmPty.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3384	HpsrSpoof.exe

Suspicious behavior: LoadsDriver 28 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1196	DevManView.exe
Token: SeRestorePrivilege	1196	DevManView.exe
Token: SeTakeOwnershipPrivilege	1196	DevManView.exe
Token: SeBackupPrivilege	3880	DevManView.exe
Token: SeRestorePrivilege	3880	DevManView.exe
Token: SeTakeOwnershipPrivilege	3880	DevManView.exe
Token: SeBackupPrivilege	4836	DevManView.exe
Token: SeRestorePrivilege	4836	DevManView.exe
Token: SeTakeOwnershipPrivilege	4836	DevManView.exe
Token: SeBackupPrivilege	3796	DevManView.exe
Token: SeRestorePrivilege	3796	DevManView.exe
Token: SeTakeOwnershipPrivilege	3796	DevManView.exe
Token: SeBackupPrivilege	2208	DevManView.exe
Token: SeRestorePrivilege	2208	DevManView.exe
Token: SeTakeOwnershipPrivilege	2208	DevManView.exe
Token: SeBackupPrivilege	3192	DevManView.exe
Token: SeRestorePrivilege	3192	DevManView.exe
Token: SeTakeOwnershipPrivilege	3192	DevManView.exe
Token: SeBackupPrivilege	2920	DevManView.exe
Token: SeRestorePrivilege	2920	DevManView.exe
Token: SeTakeOwnershipPrivilege	2920	DevManView.exe
Token: SeBackupPrivilege	5112	DevManView.exe
Token: SeRestorePrivilege	5112	DevManView.exe
Token: SeTakeOwnershipPrivilege	5112	DevManView.exe
Token: SeBackupPrivilege	5100	DevManView.exe
Token: SeRestorePrivilege	5100	DevManView.exe
Token: SeTakeOwnershipPrivilege	5100	DevManView.exe
Token: SeBackupPrivilege	3288	DevManView.exe
Token: SeRestorePrivilege	3288	DevManView.exe
Token: SeTakeOwnershipPrivilege	3288	DevManView.exe
Token: SeBackupPrivilege	2280	DevManView.exe
Token: SeRestorePrivilege	2280	DevManView.exe
Token: SeTakeOwnershipPrivilege	2280	DevManView.exe
Token: SeImpersonatePrivilege	3796	DevManView.exe
Token: SeImpersonatePrivilege	1196	DevManView.exe
Token: SeImpersonatePrivilege	4836	DevManView.exe
Token: SeImpersonatePrivilege	2208	DevManView.exe
Token: SeImpersonatePrivilege	5100	DevManView.exe
Token: SeBackupPrivilege	3760	DevManView.exe
Token: SeRestorePrivilege	3760	DevManView.exe
Token: SeTakeOwnershipPrivilege	3760	DevManView.exe
Token: SeImpersonatePrivilege	3760	DevManView.exe
Token: SeImpersonatePrivilege	2280	DevManView.exe
Token: SeImpersonatePrivilege	3288	DevManView.exe
Token: SeImpersonatePrivilege	3192	DevManView.exe
Token: SeBackupPrivilege	3196	DevManView.exe
Token: SeRestorePrivilege	3196	DevManView.exe
Token: SeTakeOwnershipPrivilege	3196	DevManView.exe
Token: SeImpersonatePrivilege	5112	DevManView.exe
Token: SeBackupPrivilege	1348	DevManView.exe
Token: SeRestorePrivilege	1348	DevManView.exe
Token: SeTakeOwnershipPrivilege	1348	DevManView.exe
Token: SeImpersonatePrivilege	2920	DevManView.exe
Token: SeImpersonatePrivilege	3880	DevManView.exe
Token: SeImpersonatePrivilege	3196	DevManView.exe
Token: SeBackupPrivilege	888	DevManView.exe
Token: SeRestorePrivilege	888	DevManView.exe
Token: SeTakeOwnershipPrivilege	888	DevManView.exe
Token: SeImpersonatePrivilege	1348	DevManView.exe
Token: SeImpersonatePrivilege	888	DevManView.exe
Token: SeLoadDriverPrivilege	3196	DevManView.exe
Token: SeLoadDriverPrivilege	888	DevManView.exe
Token: SeLoadDriverPrivilege	3196	DevManView.exe
Token: SeLoadDriverPrivilege	888	DevManView.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3832	396	SyncSpoofer.exe	86
PID 396 wrote to memory of 3832	396	SyncSpoofer.exe	86
PID 396 wrote to memory of 3832	396	SyncSpoofer.exe	86
PID 396 wrote to memory of 4100	396	SyncSpoofer.exe	87
PID 396 wrote to memory of 4100	396	SyncSpoofer.exe	87
PID 396 wrote to memory of 4100	396	SyncSpoofer.exe	87
PID 396 wrote to memory of 3384	396	SyncSpoofer.exe	88
PID 396 wrote to memory of 3384	396	SyncSpoofer.exe	88
PID 3384 wrote to memory of 1544	3384	HpsrSpoof.exe	90
PID 3384 wrote to memory of 1544	3384	HpsrSpoof.exe	90
PID 1544 wrote to memory of 1532	1544	cmd.exe	92
PID 1544 wrote to memory of 1532	1544	cmd.exe	92
PID 3384 wrote to memory of 4732	3384	HpsrSpoof.exe	93
PID 3384 wrote to memory of 4732	3384	HpsrSpoof.exe	93
PID 4732 wrote to memory of 1196	4732	cmd.exe	95
PID 4732 wrote to memory of 1196	4732	cmd.exe	95
PID 4732 wrote to memory of 3880	4732	cmd.exe	96
PID 4732 wrote to memory of 3880	4732	cmd.exe	96
PID 4732 wrote to memory of 2280	4732	cmd.exe	97
PID 4732 wrote to memory of 2280	4732	cmd.exe	97
PID 4732 wrote to memory of 3796	4732	cmd.exe	98
PID 4732 wrote to memory of 3796	4732	cmd.exe	98
PID 4732 wrote to memory of 4836	4732	cmd.exe	99
PID 4732 wrote to memory of 4836	4732	cmd.exe	99
PID 4732 wrote to memory of 2208	4732	cmd.exe	100
PID 4732 wrote to memory of 2208	4732	cmd.exe	100
PID 4732 wrote to memory of 3192	4732	cmd.exe	101
PID 4732 wrote to memory of 3192	4732	cmd.exe	101
PID 4732 wrote to memory of 2920	4732	cmd.exe	102
PID 4732 wrote to memory of 2920	4732	cmd.exe	102
PID 4732 wrote to memory of 3760	4732	cmd.exe	103
PID 4732 wrote to memory of 3760	4732	cmd.exe	103
PID 4732 wrote to memory of 5112	4732	cmd.exe	104
PID 4732 wrote to memory of 5112	4732	cmd.exe	104
PID 4732 wrote to memory of 5100	4732	cmd.exe	105
PID 4732 wrote to memory of 5100	4732	cmd.exe	105
PID 4732 wrote to memory of 3288	4732	cmd.exe	106
PID 4732 wrote to memory of 3288	4732	cmd.exe	106
PID 4732 wrote to memory of 3196	4732	cmd.exe	107
PID 4732 wrote to memory of 3196	4732	cmd.exe	107
PID 4732 wrote to memory of 888	4732	cmd.exe	108
PID 4732 wrote to memory of 888	4732	cmd.exe	108
PID 4732 wrote to memory of 1348	4732	cmd.exe	109
PID 4732 wrote to memory of 1348	4732	cmd.exe	109
PID 3384 wrote to memory of 1328	3384	HpsrSpoof.exe	110
PID 3384 wrote to memory of 1328	3384	HpsrSpoof.exe	110
PID 1328 wrote to memory of 1252	1328	cmd.exe	111
PID 1328 wrote to memory of 1252	1328	cmd.exe	111
PID 3384 wrote to memory of 4580	3384	HpsrSpoof.exe	112
PID 3384 wrote to memory of 4580	3384	HpsrSpoof.exe	112
PID 4580 wrote to memory of 4992	4580	cmd.exe	113
PID 4580 wrote to memory of 4992	4580	cmd.exe	113
PID 3384 wrote to memory of 3804	3384	HpsrSpoof.exe	179
PID 3384 wrote to memory of 3804	3384	HpsrSpoof.exe	179
PID 3804 wrote to memory of 4072	3804	cmd.exe	115
PID 3804 wrote to memory of 4072	3804	cmd.exe	115
PID 3384 wrote to memory of 4508	3384	HpsrSpoof.exe	116
PID 3384 wrote to memory of 4508	3384	HpsrSpoof.exe	116
PID 4508 wrote to memory of 4176	4508	cmd.exe	117
PID 4508 wrote to memory of 4176	4508	cmd.exe	117
PID 3384 wrote to memory of 2880	3384	HpsrSpoof.exe	118
PID 3384 wrote to memory of 2880	3384	HpsrSpoof.exe	118
PID 2880 wrote to memory of 4360	2880	cmd.exe	119
PID 2880 wrote to memory of 4360	2880	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Roaming\sWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\sWsmPty.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
  "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 1P63-T1MP
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 1P63-T1MP
      4⤵
      Executes dropped EXE
      PID:1532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3880
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2280
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3796
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4836
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2208
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3192
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2920
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3760
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5112
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5100
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3288
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11539HP-TRGT21705AB
      4⤵
      Executes dropped EXE
      PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211539HP-TRGT21705RV
      4⤵
      Executes dropped EXE
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811539HP-TRGT21705SG
      4⤵
      Executes dropped EXE
      PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511542HP-TRGT32454SL
      4⤵
      Executes dropped EXE
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:1500
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411542HP-TRGT32454FA
      4⤵
      Executes dropped EXE
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:3152
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611542HP-TRGT32454FU
      4⤵
      Executes dropped EXE
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:4484
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311542HP-TRGT32454DQ
      4⤵
      Executes dropped EXE
      PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:4700
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711542HP-TRGT32454MST
      4⤵
      Executes dropped EXE
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:1920
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:4724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:2744
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11559HP-TRGT20660AB
      4⤵
      Executes dropped EXE
      PID:4012
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:4736
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211559HP-TRGT20660RV
      4⤵
      Executes dropped EXE
      PID:2940
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:1592
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811559HP-TRGT20660SG
      4⤵
      Executes dropped EXE
      PID:3312
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:3044
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:3236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:3492
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511559HP-TRGT20660SL
      4⤵
      Executes dropped EXE
      PID:1532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:5048
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411562HP-TRGT31408FA
      4⤵
      Executes dropped EXE
      PID:4520
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:4860
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611562HP-TRGT31408FU
      4⤵
      Executes dropped EXE
      PID:2192
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:1968
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311562HP-TRGT31408DQ
      4⤵
      Executes dropped EXE
      PID:4664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:2804
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711562HP-TRGT31408MST
      4⤵
      Executes dropped EXE
      PID:2140
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:4920
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:3288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:3796
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 11578HP-TRGT19614AB
      4⤵
      Executes dropped EXE
      PID:3028
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:3736
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 211578HP-TRGT19614RV
      4⤵
      Executes dropped EXE
      PID:1288
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:4836
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 811578HP-TRGT19614SG
      4⤵
      Executes dropped EXE
      PID:1916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:452
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:4456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:3272
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 511578HP-TRGT19614SL
      4⤵
      Executes dropped EXE
      PID:2444
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:1832
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 411578HP-TRGT19614FA
      4⤵
      Executes dropped EXE
      PID:4764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:4452
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 611578HP-TRGT19614FU
      4⤵
      Executes dropped EXE
      PID:800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:3804
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 311578HP-TRGT19614DQ
      4⤵
      Executes dropped EXE
      PID:3636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:1268
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 711578HP-TRGT19614MST
      4⤵
      Executes dropped EXE
      PID:1340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:2272
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:2468
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: SAHV-07OU
    3⤵
    PID:2808
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: SAHV-07OU
      4⤵
      Executes dropped EXE
      PID:1740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: LNIE-ZT97
    3⤵
    PID:2744
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: LNIE-ZT97
      4⤵
      Executes dropped EXE
      PID:4224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: OL3P-ONH1
    3⤵
    PID:3060
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: OL3P-ONH1
      4⤵
      Executes dropped EXE
      PID:456
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: ERTZ-6D01
    3⤵
    PID:2552
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: ERTZ-6D01
      4⤵
      Executes dropped EXE
      PID:4480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: Z13I-JP4Z
    3⤵
    PID:1876
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: Z13I-JP4Z
      4⤵
      Executes dropped EXE
      PID:2156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: B9I4-0T25
    3⤵
    PID:2972
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4920
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: B9I4-0T25
      4⤵
      Executes dropped EXE
      PID:3156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: HZRU-BSO1
    3⤵
    PID:1932
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: HZRU-BSO1
      4⤵
      Executes dropped EXE
      PID:976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: K4S2-IZKF
    3⤵
    PID:3192
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: K4S2-IZKF
      4⤵
      Executes dropped EXE
      PID:1912
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: L9UF-NV4M
    3⤵
    PID:3028
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: L9UF-NV4M
      4⤵
      Executes dropped EXE
      PID:3764
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: LLP3-715H
    3⤵
    PID:916
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: LLP3-715H
      4⤵
      Executes dropped EXE
      PID:4992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: DDC4-8IFI
    3⤵
    PID:4840
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: DDC4-8IFI
      4⤵
      Executes dropped EXE
      PID:3936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: IZBR-COG7
    3⤵
    PID:3760
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: IZBR-COG7
      4⤵
      Executes dropped EXE
      PID:4296
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: JRS4-CFTA
    3⤵
    PID:392
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: JRS4-CFTA
      4⤵
      Executes dropped EXE
      PID:3268
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: EKK4-B0ZP
    3⤵
    PID:4220
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: EKK4-B0ZP
      4⤵
      Executes dropped EXE
      PID:3260
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: F316-C24B
    3⤵
    PID:1340
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: F316-C24B
      4⤵
      Executes dropped EXE
      PID:64
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: CKFT-8NSR
    3⤵
    PID:2800
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: CKFT-8NSR
      4⤵
      PID:4972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: U67T-4O8D
    3⤵
    PID:2408
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: U67T-4O8D
      4⤵
      PID:3996
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: ZOD2-N3DZ
    3⤵
    PID:1392
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: ZOD2-N3DZ
      4⤵
      PID:2476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: L1H4-SJTT
    3⤵
    PID:2716
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: L1H4-SJTT
      4⤵
      PID:2744
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: MJ92-OJ1C
    3⤵
    PID:4760
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: MJ92-OJ1C
      4⤵
      PID:4656
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: O0IN-0K82
    3⤵
    PID:2080
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: O0IN-0K82
      4⤵
      PID:4596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: KSOB-32P5
    3⤵
    PID:2564
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: KSOB-32P5
      4⤵
      PID:2772
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 9II9-E61C
    3⤵
    PID:3348
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 9II9-E61C
      4⤵
      PID:4604
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
    3⤵
    PID:2156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
    3⤵
    PID:2072
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
    3⤵
    PID:4860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
    3⤵
    PID:1796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
    3⤵
    PID:632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    3⤵
    PID:3596
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery