stealc | 24d5a4217ca7cbac8b0d33663c7eac767c0248ed2e83c42ac242fd7b9007d42f

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VC_redistx64.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VC_redistx64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VC_redistx64.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	VC_redistx64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	HpsrSpoof.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	SyncSpoofer.exe

Executes dropped EXE 64 IoCs

pid	Process
1052	sWsmPty.exe
1768	VC_redistx64.exe
2864	HpsrSpoof.exe
468	Volumeid64.exe
3300	DevManView.exe
2932	DevManView.exe
4596	DevManView.exe
4548	DevManView.exe
3056	DevManView.exe
1492	DevManView.exe
1120	DevManView.exe
1464	DevManView.exe
4528	DevManView.exe
1580	DevManView.exe
4816	DevManView.exe
2512	DevManView.exe
5116	DevManView.exe
4956	DevManView.exe
1176	DevManView.exe
208	AMIDEWINx64.exe
4172	AMIDEWINx64.exe
1156	AMIDEWINx64.exe
1092	AMIDEWINx64.exe
2708	AMIDEWINx64.exe
1912	AMIDEWINx64.exe
4588	AMIDEWINx64.exe
1680	AMIDEWINx64.exe
4476	AMIDEWINx64.exe
792	AMIDEWINx64.exe
4540	AMIDEWINx64.exe
2916	AMIDEWINx64.exe
936	AMIDEWINx64.exe
3424	AMIDEWINx64.exe
4240	AMIDEWINx64.exe
4880	AMIDEWINx64.exe
4376	AMIDEWINx64.exe
2316	AMIDEWINx64.exe
3768	AMIDEWINx64.exe
2092	AMIDEWINx64.exe
2920	AMIDEWINx64.exe
1540	AMIDEWINx64.exe
224	AMIDEWINx64.exe
2800	AMIDEWINx64.exe
4560	AMIDEWINx64.exe
3968	AMIDEWINx64.exe
2936	AMIDEWINx64.exe
2744	AMIDEWINx64.exe
4148	AMIDEWINx64.exe
1584	AMIDEWINx64.exe
4540	Volumeid64.exe
760	Volumeid64.exe
972	Volumeid64.exe
4672	Volumeid64.exe
892	Volumeid64.exe
1120	Volumeid64.exe
3392	Volumeid64.exe
4692	Volumeid64.exe
1984	Volumeid64.exe
1976	Volumeid64.exe
2708	Volumeid64.exe
2512	Volumeid64.exe
3512	Volumeid64.exe
3044	Volumeid64.exe
416	Volumeid64.exe

Loads dropped DLL 2 IoCs

pid	Process
1052	sWsmPty.exe
1052	sWsmPty.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000b000000023b63-19.dat	themida
behavioral2/memory/1768-29-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/1768-35-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/1768-34-0x0000000000400000-0x0000000000B78000-memory.dmp	themida
behavioral2/memory/1768-149-0x0000000000400000-0x0000000000B78000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VC_redistx64.exe

Enumerates connected drives 3 TTPs 30 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\F:	DevManView.exe
File opened (read-only)	\??\D:	DevManView.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0"	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DevManView.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0"	DevManView.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1768	VC_redistx64.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DevManView.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sWsmPty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Control	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LocationInformation	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Control	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	DevManView.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ClassGuid	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000	DevManView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000	DevManView.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	DevManView.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	DevManView.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sWsmPty.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sWsmPty.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1768	VC_redistx64.exe
1768	VC_redistx64.exe
1052	sWsmPty.exe
1052	sWsmPty.exe
2932	DevManView.exe
2932	DevManView.exe
3056	DevManView.exe
3056	DevManView.exe
4548	DevManView.exe
4548	DevManView.exe
1120	DevManView.exe
1120	DevManView.exe
1464	DevManView.exe
1464	DevManView.exe
1492	DevManView.exe
3300	DevManView.exe
3300	DevManView.exe
4596	DevManView.exe
4596	DevManView.exe
4548	DevManView.exe
2512	DevManView.exe
2512	DevManView.exe
4528	DevManView.exe
4528	DevManView.exe
1492	DevManView.exe
1580	DevManView.exe
1580	DevManView.exe
5116	DevManView.exe
5116	DevManView.exe
1176	DevManView.exe
4956	DevManView.exe
4956	DevManView.exe
1176	DevManView.exe
4816	DevManView.exe
4816	DevManView.exe
1052	sWsmPty.exe
1052	sWsmPty.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	HpsrSpoof.exe

Suspicious behavior: LoadsDriver 23 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2932	DevManView.exe
Token: SeRestorePrivilege	2932	DevManView.exe
Token: SeTakeOwnershipPrivilege	2932	DevManView.exe
Token: SeBackupPrivilege	3300	DevManView.exe
Token: SeRestorePrivilege	3300	DevManView.exe
Token: SeTakeOwnershipPrivilege	3300	DevManView.exe
Token: SeBackupPrivilege	4596	DevManView.exe
Token: SeRestorePrivilege	4596	DevManView.exe
Token: SeTakeOwnershipPrivilege	4596	DevManView.exe
Token: SeBackupPrivilege	3056	DevManView.exe
Token: SeRestorePrivilege	3056	DevManView.exe
Token: SeTakeOwnershipPrivilege	3056	DevManView.exe
Token: SeImpersonatePrivilege	2932	DevManView.exe
Token: SeBackupPrivilege	4548	DevManView.exe
Token: SeRestorePrivilege	4548	DevManView.exe
Token: SeTakeOwnershipPrivilege	4548	DevManView.exe
Token: SeBackupPrivilege	1492	DevManView.exe
Token: SeRestorePrivilege	1492	DevManView.exe
Token: SeTakeOwnershipPrivilege	1492	DevManView.exe
Token: SeBackupPrivilege	1120	DevManView.exe
Token: SeRestorePrivilege	1120	DevManView.exe
Token: SeTakeOwnershipPrivilege	1120	DevManView.exe
Token: SeBackupPrivilege	1464	DevManView.exe
Token: SeRestorePrivilege	1464	DevManView.exe
Token: SeTakeOwnershipPrivilege	1464	DevManView.exe
Token: SeImpersonatePrivilege	3300	DevManView.exe
Token: SeImpersonatePrivilege	4596	DevManView.exe
Token: SeImpersonatePrivilege	3056	DevManView.exe
Token: SeImpersonatePrivilege	4548	DevManView.exe
Token: SeImpersonatePrivilege	1120	DevManView.exe
Token: SeImpersonatePrivilege	1464	DevManView.exe
Token: SeBackupPrivilege	2512	DevManView.exe
Token: SeRestorePrivilege	2512	DevManView.exe
Token: SeTakeOwnershipPrivilege	2512	DevManView.exe
Token: SeBackupPrivilege	5116	DevManView.exe
Token: SeRestorePrivilege	5116	DevManView.exe
Token: SeTakeOwnershipPrivilege	5116	DevManView.exe
Token: SeBackupPrivilege	4528	DevManView.exe
Token: SeRestorePrivilege	4528	DevManView.exe
Token: SeTakeOwnershipPrivilege	4528	DevManView.exe
Token: SeBackupPrivilege	4956	DevManView.exe
Token: SeRestorePrivilege	4956	DevManView.exe
Token: SeTakeOwnershipPrivilege	4956	DevManView.exe
Token: SeImpersonatePrivilege	4528	DevManView.exe
Token: SeBackupPrivilege	1176	DevManView.exe
Token: SeRestorePrivilege	1176	DevManView.exe
Token: SeTakeOwnershipPrivilege	1176	DevManView.exe
Token: SeBackupPrivilege	1580	DevManView.exe
Token: SeRestorePrivilege	1580	DevManView.exe
Token: SeTakeOwnershipPrivilege	1580	DevManView.exe
Token: SeImpersonatePrivilege	2512	DevManView.exe
Token: SeImpersonatePrivilege	4956	DevManView.exe
Token: SeImpersonatePrivilege	1492	DevManView.exe
Token: SeImpersonatePrivilege	5116	DevManView.exe
Token: SeImpersonatePrivilege	1176	DevManView.exe
Token: SeImpersonatePrivilege	1580	DevManView.exe
Token: SeBackupPrivilege	4816	DevManView.exe
Token: SeRestorePrivilege	4816	DevManView.exe
Token: SeTakeOwnershipPrivilege	4816	DevManView.exe
Token: SeImpersonatePrivilege	4816	DevManView.exe
Token: SeLoadDriverPrivilege	4956	DevManView.exe
Token: SeLoadDriverPrivilege	1580	DevManView.exe
Token: SeLoadDriverPrivilege	4956	DevManView.exe
Token: SeLoadDriverPrivilege	1580	DevManView.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1052	1708	SyncSpoofer.exe	86
PID 1708 wrote to memory of 1052	1708	SyncSpoofer.exe	86
PID 1708 wrote to memory of 1052	1708	SyncSpoofer.exe	86
PID 1708 wrote to memory of 1768	1708	SyncSpoofer.exe	87
PID 1708 wrote to memory of 1768	1708	SyncSpoofer.exe	87
PID 1708 wrote to memory of 1768	1708	SyncSpoofer.exe	87
PID 1708 wrote to memory of 2864	1708	SyncSpoofer.exe	88
PID 1708 wrote to memory of 2864	1708	SyncSpoofer.exe	88
PID 2864 wrote to memory of 892	2864	HpsrSpoof.exe	90
PID 2864 wrote to memory of 892	2864	HpsrSpoof.exe	90
PID 892 wrote to memory of 468	892	cmd.exe	92
PID 892 wrote to memory of 468	892	cmd.exe	92
PID 2864 wrote to memory of 4856	2864	HpsrSpoof.exe	94
PID 2864 wrote to memory of 4856	2864	HpsrSpoof.exe	94
PID 4856 wrote to memory of 3300	4856	cmd.exe	96
PID 4856 wrote to memory of 3300	4856	cmd.exe	96
PID 4856 wrote to memory of 2932	4856	cmd.exe	97
PID 4856 wrote to memory of 2932	4856	cmd.exe	97
PID 4856 wrote to memory of 4596	4856	cmd.exe	98
PID 4856 wrote to memory of 4596	4856	cmd.exe	98
PID 4856 wrote to memory of 4548	4856	cmd.exe	99
PID 4856 wrote to memory of 4548	4856	cmd.exe	99
PID 4856 wrote to memory of 3056	4856	cmd.exe	100
PID 4856 wrote to memory of 3056	4856	cmd.exe	100
PID 4856 wrote to memory of 1492	4856	cmd.exe	101
PID 4856 wrote to memory of 1492	4856	cmd.exe	101
PID 4856 wrote to memory of 4816	4856	cmd.exe	102
PID 4856 wrote to memory of 4816	4856	cmd.exe	102
PID 4856 wrote to memory of 1120	4856	cmd.exe	103
PID 4856 wrote to memory of 1120	4856	cmd.exe	103
PID 4856 wrote to memory of 1464	4856	cmd.exe	104
PID 4856 wrote to memory of 1464	4856	cmd.exe	104
PID 4856 wrote to memory of 2512	4856	cmd.exe	105
PID 4856 wrote to memory of 2512	4856	cmd.exe	105
PID 4856 wrote to memory of 5116	4856	cmd.exe	106
PID 4856 wrote to memory of 5116	4856	cmd.exe	106
PID 4856 wrote to memory of 4528	4856	cmd.exe	107
PID 4856 wrote to memory of 4528	4856	cmd.exe	107
PID 4856 wrote to memory of 4956	4856	cmd.exe	108
PID 4856 wrote to memory of 4956	4856	cmd.exe	108
PID 4856 wrote to memory of 1580	4856	cmd.exe	109
PID 4856 wrote to memory of 1580	4856	cmd.exe	109
PID 4856 wrote to memory of 1176	4856	cmd.exe	110
PID 4856 wrote to memory of 1176	4856	cmd.exe	110
PID 2864 wrote to memory of 60	2864	HpsrSpoof.exe	175
PID 2864 wrote to memory of 60	2864	HpsrSpoof.exe	175
PID 60 wrote to memory of 208	60	cmd.exe	112
PID 60 wrote to memory of 208	60	cmd.exe	112
PID 2864 wrote to memory of 1068	2864	HpsrSpoof.exe	113
PID 2864 wrote to memory of 1068	2864	HpsrSpoof.exe	113
PID 1068 wrote to memory of 4172	1068	cmd.exe	114
PID 1068 wrote to memory of 4172	1068	cmd.exe	114
PID 2864 wrote to memory of 2264	2864	HpsrSpoof.exe	115
PID 2864 wrote to memory of 2264	2864	HpsrSpoof.exe	115
PID 2264 wrote to memory of 1156	2264	cmd.exe	116
PID 2264 wrote to memory of 1156	2264	cmd.exe	116
PID 2864 wrote to memory of 1892	2864	HpsrSpoof.exe	117
PID 2864 wrote to memory of 1892	2864	HpsrSpoof.exe	117
PID 1892 wrote to memory of 1092	1892	cmd.exe	181
PID 1892 wrote to memory of 1092	1892	cmd.exe	181
PID 2864 wrote to memory of 3828	2864	HpsrSpoof.exe	119
PID 2864 wrote to memory of 3828	2864	HpsrSpoof.exe	119
PID 3828 wrote to memory of 2708	3828	cmd.exe	226
PID 3828 wrote to memory of 2708	3828	cmd.exe	226

C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SyncSpoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Roaming\sWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\sWsmPty.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1768
- C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe
  "C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: LOSO-781A
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: LOSO-781A
      4⤵
      Executes dropped EXE
      PID:468
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3300
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3056
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1120
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4528
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4956
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1580
  - - C:\ProgramData\Microsoft\Windows\DevManView.exe
      C:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Maps connected drives based on registry
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 22390HP-TRGT32506AB
      4⤵
      Executes dropped EXE
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 222393HP-TRGT10487RV
      4⤵
      Executes dropped EXE
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 822393HP-TRGT10487SG
      4⤵
      Executes dropped EXE
      PID:1156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 522393HP-TRGT10487SL
      4⤵
      Executes dropped EXE
      PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:1632
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 422393HP-TRGT10487FA
      4⤵
      Executes dropped EXE
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:5076
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 622393HP-TRGT10487FU
      4⤵
      Executes dropped EXE
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:2428
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 322393HP-TRGT10487DQ
      4⤵
      Executes dropped EXE
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:2720
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 722393HP-TRGT10487MST
      4⤵
      Executes dropped EXE
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:3820
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:3212
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 22413HP-TRGT9441AB
      4⤵
      Executes dropped EXE
      PID:4540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:1436
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 222413HP-TRGT9441RV
      4⤵
      Executes dropped EXE
      PID:2916
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:4400
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 822413HP-TRGT9441SG
      4⤵
      Executes dropped EXE
      PID:936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:4980
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:3424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:3040
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 522413HP-TRGT9441SL
      4⤵
      Executes dropped EXE
      PID:4240
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:4876
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 422413HP-TRGT9441FA
      4⤵
      Executes dropped EXE
      PID:4880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:2488
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 622413HP-TRGT9441FU
      4⤵
      Executes dropped EXE
      PID:2316
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:3516
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 322413HP-TRGT9441DQ
      4⤵
      Executes dropped EXE
      PID:4376
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:3220
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 722413HP-TRGT9441MST
      4⤵
      Executes dropped EXE
      PID:3768
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:1364
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:2092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB
    3⤵
    PID:2932
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 22429HP-TRGT30415AB
      4⤵
      Executes dropped EXE
      PID:2920
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV
    3⤵
    PID:3020
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 222429HP-TRGT30415RV
      4⤵
      Executes dropped EXE
      PID:2800
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG
    3⤵
    PID:3260
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 822429HP-TRGT30415SG
      4⤵
      Executes dropped EXE
      PID:1540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
    3⤵
    PID:4952
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto
      4⤵
      Executes dropped EXE
      PID:224
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL
    3⤵
    PID:216
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 522429HP-TRGT30415SL
      4⤵
      Executes dropped EXE
      PID:3968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA
    3⤵
    PID:3956
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 422429HP-TRGT30415FA
      4⤵
      Executes dropped EXE
      PID:4560
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU
    3⤵
    PID:3804
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:60
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 622429HP-TRGT30415FU
      4⤵
      Executes dropped EXE
      PID:4148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ
    3⤵
    PID:3384
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 322429HP-TRGT30415DQ
      4⤵
      Executes dropped EXE
      PID:2936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST
    3⤵
    PID:1092
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 722429HP-TRGT30415MST
      4⤵
      Executes dropped EXE
      PID:2744
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
    3⤵
    PID:1876
  - - C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
      C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF
      4⤵
      Executes dropped EXE
      PID:1584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 5THV-74I0
    3⤵
    PID:3648
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 5THV-74I0
      4⤵
      Executes dropped EXE
      PID:4540
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: HR74-87AT
    3⤵
    PID:4804
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: HR74-87AT
      4⤵
      Executes dropped EXE
      PID:760
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 0BEA-LJC3
    3⤵
    PID:3988
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: 0BEA-LJC3
      4⤵
      Executes dropped EXE
      PID:972
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: FII2-FRJ9
    3⤵
    PID:3564
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: FII2-FRJ9
      4⤵
      Executes dropped EXE
      PID:4672
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: EFBN-MPPK
    3⤵
    PID:4996
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: EFBN-MPPK
      4⤵
      Executes dropped EXE
      PID:892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 4ZTV-VFG7
    3⤵
    PID:2712
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 4ZTV-VFG7
      4⤵
      Executes dropped EXE
      PID:1120
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: FHPD-MJEK
    3⤵
    PID:3264
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: FHPD-MJEK
      4⤵
      Executes dropped EXE
      PID:3392
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: K5DT-B4KH
    3⤵
    PID:4684
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: K5DT-B4KH
      4⤵
      Executes dropped EXE
      PID:4692
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: O8DJ-5HG2
    3⤵
    PID:3632
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: O8DJ-5HG2
      4⤵
      Executes dropped EXE
      PID:1984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 1TFR-24JZ
    3⤵
    PID:3172
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: 1TFR-24JZ
      4⤵
      Executes dropped EXE
      PID:1976
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: NITZ-D29O
    3⤵
    PID:3048
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: NITZ-D29O
      4⤵
      Executes dropped EXE
      PID:2708
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: V842-TI5K
    3⤵
    PID:4780
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4588
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: V842-TI5K
      4⤵
      Executes dropped EXE
      PID:2512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: P1OI-2SMZ
    3⤵
    PID:2920
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: P1OI-2SMZ
      4⤵
      Executes dropped EXE
      PID:3512
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ANLI-UZU2
    3⤵
    PID:3872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3804
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: ANLI-UZU2
      4⤵
      Executes dropped EXE
      PID:3044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: BUMC-ZER1
    3⤵
    PID:624
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: BUMC-ZER1
      4⤵
      Executes dropped EXE
      PID:416
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: E8Z0-N5JH
    3⤵
    PID:392
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: E8Z0-N5JH
      4⤵
      PID:2908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 9GVG-7V24
    3⤵
    PID:1888
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: 9GVG-7V24
      4⤵
      PID:5056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 56GP-J7IS
    3⤵
    PID:4272
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 56GP-J7IS
      4⤵
      PID:3464
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 74A8-BAR3
    3⤵
    PID:3676
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: 74A8-BAR3
      4⤵
      PID:4012
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: FDVU-S7J3
    3⤵
    PID:1056
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: FDVU-S7J3
      4⤵
      PID:1444
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: T1ES-05RT
    3⤵
    PID:2448
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: T1ES-05RT
      4⤵
      PID:2032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4JPU-KHEL
    3⤵
    PID:3988
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: 4JPU-KHEL
      4⤵
      PID:4284
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: BKHE-2AE3
    3⤵
    PID:3040
  - - C:\ProgramData\Microsoft\Windows\Volumeid64.exe
      C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: BKHE-2AE3
      4⤵
      PID:1476
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg
    3⤵
    PID:3564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm
    3⤵
    PID:400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe
    3⤵
    PID:4376
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys
    3⤵
    PID:1364
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys
    3⤵
    PID:2248
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe
    3⤵
    PID:4480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat
    3⤵
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery