83dc40c5814d63f0ff34410b5d0b73cc9eedec070af5f6934d63f73d562835f8

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	adobe.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	IRMOutstandingReport_1594432868602.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	IRMOutstandingReport_1594432868602.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1836	adobe.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1480	adobe.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1836 set thread context of 1480	1836	adobe.exe	36

Loads dropped DLL 8 IoCs

pid	Process
1528	IRMOutstandingReport_1594432868602.exe
1808	Process not Found
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe
1480	adobe.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	adobe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	IRMOutstandingReport_1594432868602.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	IRMOutstandingReport_1594432868602.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	adobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	adobe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	adobe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	adobe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run entry to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\microsoft.exe = "C:\\ProgramData\\adobe.exe"	IRMOutstandingReport_1594432868602.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1104	IRMOutstandingReport_1594432868602.exe
1104	IRMOutstandingReport_1594432868602.exe
1104	IRMOutstandingReport_1594432868602.exe
1104	IRMOutstandingReport_1594432868602.exe
1816	powershell.exe
1816	powershell.exe
1836	adobe.exe
684	powershell.exe
684	powershell.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData:ApplicationData	IRMOutstandingReport_1594432868602.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	adobe.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
744	schtasks.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IRMOutstandingReport_1594432868602.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adobe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adobe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IRMOutstandingReport_1594432868602.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	IRMOutstandingReport_1594432868602.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	IRMOutstandingReport_1594432868602.exe

Modifies WinLogon 2 TTPs 4 IoCs

Winlogon Helper DLL

T1004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	adobe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\jBggKKA = "0"	adobe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	adobe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	adobe.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	25
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	25
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	25
PID 1104 wrote to memory of 744	1104	IRMOutstandingReport_1594432868602.exe	25
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	27
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	27
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	27
PID 1104 wrote to memory of 1056	1104	IRMOutstandingReport_1594432868602.exe	27
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	28
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	28
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	28
PID 1104 wrote to memory of 1092	1104	IRMOutstandingReport_1594432868602.exe	28
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	29
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	29
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	29
PID 1104 wrote to memory of 1044	1104	IRMOutstandingReport_1594432868602.exe	29
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1104 wrote to memory of 1528	1104	IRMOutstandingReport_1594432868602.exe	30
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	31
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	31
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	31
PID 1528 wrote to memory of 1816	1528	IRMOutstandingReport_1594432868602.exe	31
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	32
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	32
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	32
PID 1528 wrote to memory of 1836	1528	IRMOutstandingReport_1594432868602.exe	32
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1836 wrote to memory of 1480	1836	adobe.exe	36
PID 1480 wrote to memory of 684	1480	adobe.exe	37
PID 1480 wrote to memory of 684	1480	adobe.exe	37
PID 1480 wrote to memory of 684	1480	adobe.exe	37
PID 1480 wrote to memory of 684	1480	adobe.exe	37
PID 1480 wrote to memory of 528	1480	adobe.exe	38
PID 1480 wrote to memory of 528	1480	adobe.exe	38
PID 1480 wrote to memory of 528	1480	adobe.exe	38
PID 1480 wrote to memory of 528	1480	adobe.exe	38
PID 1480 wrote to memory of 528	1480	adobe.exe	38
PID 1480 wrote to memory of 528	1480	adobe.exe	38

Executes dropped EXE 2 IoCs

pid	Process
1836	adobe.exe
1480	adobe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1480	adobe.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
1808	Process not Found
1808	Process not Found
1808	Process not Found

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	IRMOutstandingReport_1594432868602.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	adobe.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	adobe.exe

C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
"C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe"
1⤵
- Looks for VMWare Tools registry key
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Looks for VirtualBox Guest Additions in registry
PID:1104
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oTIZQT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8545.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:744
- C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
  "{path}"
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
  "{path}"
  2⤵
  PID:1092
- C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
  "{path}"
  2⤵
  PID:1044
- C:\Users\Admin\AppData\Local\Temp\IRMOutstandingReport_1594432868602.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Adds Run entry to start application
  - NTFS ADS
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
- - C:\ProgramData\adobe.exe
    "C:\ProgramData\adobe.exe"
    3⤵
    - Looks for VMWare Tools registry key
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    - Checks BIOS information in registry
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    - Looks for VirtualBox Guest Additions in registry
    PID:1836
  - - C:\ProgramData\adobe.exe
      "{path}"
      4⤵
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Loads dropped DLL
      Modifies system certificate store
      Sets DLL path for service in the registry
      Modifies WinLogon
      Suspicious use of WriteProcessMemory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Drops file in System32 directory
      PID:1480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious behavior: EnumeratesProcesses
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery