61d4ffa8f628b886b63e70a83fc7fcaf89cfe976ef1554f20d481487e5da94fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bca80dd5c19443aa59f1e1d32a14986.exe
Size

1.0MB
MD5

a4eeeca0638de7188fc51993ded01fea
SHA1

9ddf88b0a022e6ca1e70f450126b6d3c27cbb573
SHA256

61d4ffa8f628b886b63e70a83fc7fcaf89cfe976ef1554f20d481487e5da94fe
SHA512

335e22ec69fc84715d4d28367e71bd8fc57e0538982375c86d3d0c5d4d0a8a3b0b616bf434873742c97855d5bc64adce17bb2f8a70e71cbfe0b1862b5c6858e3

Score

10^/10

discovery evasion spyware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Executes dropped EXE 3 IoCs

Processes:

2ORAPNk7URLRiqa3hnDm.exereviewruntime.exefontdrvhost.exe

pid process

3304 2ORAPNk7URLRiqa3hnDm.exe
3848 reviewruntime.exe
2516 fontdrvhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ipinfo.io
22 ipinfo.io

pid	process
3304	2ORAPNk7URLRiqa3hnDm.exe
3848	reviewruntime.exe
2516	fontdrvhost.exe

flow	ioc
21	ipinfo.io
22	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

fontdrvhost.exe

pid	process
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1484 schtasks.exe
1696 schtasks.exe
1948 schtasks.exe
2236 schtasks.exe
2460 schtasks.exe
1096 schtasks.exe
1056 schtasks.exe
1244 schtasks.exe

pid	process
1484	schtasks.exe
1696	schtasks.exe
1948	schtasks.exe
2236	schtasks.exe
2460	schtasks.exe
1096	schtasks.exe
1056	schtasks.exe
1244	schtasks.exe

Modifies registry class 2 IoCs

Processes:

7bca80dd5c19443aa59f1e1d32a14986.exe2ORAPNk7URLRiqa3hnDm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	7bca80dd5c19443aa59f1e1d32a14986.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	2ORAPNk7URLRiqa3hnDm.exe

Suspicious behavior: EnumeratesProcesses 132 IoCs

Processes:

reviewruntime.exefontdrvhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3848	reviewruntime.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2400	powershell.exe
2400	powershell.exe
2516	fontdrvhost.exe
2400	powershell.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
2928	powershell.exe
2516	fontdrvhost.exe
4580	powershell.exe
4496	powershell.exe
4580	powershell.exe
2928	powershell.exe
2928	powershell.exe
4496	powershell.exe
4496	powershell.exe
4580	powershell.exe
4580	powershell.exe
4708	powershell.exe
4708	powershell.exe
3836	powershell.exe
3836	powershell.exe
4496	powershell.exe
3128	powershell.exe
2928	powershell.exe
3128	powershell.exe
4708	powershell.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
3936	powershell.exe
3936	powershell.exe
4708	powershell.exe
1860	powershell.exe
1860	powershell.exe
4400	powershell.exe
4400	powershell.exe
3836	powershell.exe
1468	powershell.exe
1468	powershell.exe
2300	powershell.exe
2300	powershell.exe
3128	powershell.exe
4344	powershell.exe
4344	powershell.exe
3936	powershell.exe
2516	fontdrvhost.exe
3836	powershell.exe
3836	powershell.exe
1860	powershell.exe
3128	powershell.exe
3128	powershell.exe
4400	powershell.exe
3936	powershell.exe
1468	powershell.exe
2300	powershell.exe
4344	powershell.exe
1860	powershell.exe
2516	fontdrvhost.exe
2516	fontdrvhost.exe
4400	powershell.exe
1468	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fontdrvhost.exe

pid process

2516 fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 288 IoCs

Processes:

reviewruntime.exefontdrvhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3848	reviewruntime.exe
Token: SeDebugPrivilege	2516	fontdrvhost.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeIncreaseQuotaPrivilege	2400	powershell.exe
Token: SeSecurityPrivilege	2400	powershell.exe
Token: SeTakeOwnershipPrivilege	2400	powershell.exe
Token: SeLoadDriverPrivilege	2400	powershell.exe
Token: SeSystemProfilePrivilege	2400	powershell.exe
Token: SeSystemtimePrivilege	2400	powershell.exe
Token: SeProfSingleProcessPrivilege	2400	powershell.exe
Token: SeIncBasePriorityPrivilege	2400	powershell.exe
Token: SeCreatePagefilePrivilege	2400	powershell.exe
Token: SeBackupPrivilege	2400	powershell.exe
Token: SeRestorePrivilege	2400	powershell.exe
Token: SeShutdownPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeSystemEnvironmentPrivilege	2400	powershell.exe
Token: SeRemoteShutdownPrivilege	2400	powershell.exe
Token: SeUndockPrivilege	2400	powershell.exe
Token: SeManageVolumePrivilege	2400	powershell.exe
Token: 33	2400	powershell.exe
Token: 34	2400	powershell.exe
Token: 35	2400	powershell.exe
Token: 36	2400	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeIncreaseQuotaPrivilege	4580	powershell.exe
Token: SeSecurityPrivilege	4580	powershell.exe
Token: SeTakeOwnershipPrivilege	4580	powershell.exe
Token: SeLoadDriverPrivilege	4580	powershell.exe
Token: SeSystemProfilePrivilege	4580	powershell.exe
Token: SeSystemtimePrivilege	4580	powershell.exe
Token: SeProfSingleProcessPrivilege	4580	powershell.exe
Token: SeIncBasePriorityPrivilege	4580	powershell.exe
Token: SeCreatePagefilePrivilege	4580	powershell.exe
Token: SeBackupPrivilege	4580	powershell.exe
Token: SeRestorePrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeSystemEnvironmentPrivilege	4580	powershell.exe
Token: SeRemoteShutdownPrivilege	4580	powershell.exe
Token: SeUndockPrivilege	4580	powershell.exe
Token: SeManageVolumePrivilege	4580	powershell.exe
Token: 33	4580	powershell.exe
Token: 34	4580	powershell.exe
Token: 35	4580	powershell.exe
Token: 36	4580	powershell.exe
Token: SeIncreaseQuotaPrivilege	4496	powershell.exe
Token: SeSecurityPrivilege	4496	powershell.exe
Token: SeTakeOwnershipPrivilege	4496	powershell.exe
Token: SeLoadDriverPrivilege	4496	powershell.exe
Token: SeSystemProfilePrivilege	4496	powershell.exe
Token: SeSystemtimePrivilege	4496	powershell.exe
Token: SeProfSingleProcessPrivilege	4496	powershell.exe
Token: SeIncBasePriorityPrivilege	4496	powershell.exe
Token: SeCreatePagefilePrivilege	4496	powershell.exe
Token: SeBackupPrivilege	4496	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fontdrvhost.exe

pid process

2516 fontdrvhost.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

7bca80dd5c19443aa59f1e1d32a14986.exeWScript.execmd.exe2ORAPNk7URLRiqa3hnDm.exeWScript.execmd.exereviewruntime.exefontdrvhost.exe

description	pid	process	target process
PID 4644 wrote to memory of 3560	4644	7bca80dd5c19443aa59f1e1d32a14986.exe	WScript.exe
PID 4644 wrote to memory of 3560	4644	7bca80dd5c19443aa59f1e1d32a14986.exe	WScript.exe
PID 4644 wrote to memory of 3560	4644	7bca80dd5c19443aa59f1e1d32a14986.exe	WScript.exe
PID 3560 wrote to memory of 3084	3560	WScript.exe	cmd.exe
PID 3560 wrote to memory of 3084	3560	WScript.exe	cmd.exe
PID 3560 wrote to memory of 3084	3560	WScript.exe	cmd.exe
PID 3084 wrote to memory of 3304	3084	cmd.exe	2ORAPNk7URLRiqa3hnDm.exe
PID 3084 wrote to memory of 3304	3084	cmd.exe	2ORAPNk7URLRiqa3hnDm.exe
PID 3084 wrote to memory of 3304	3084	cmd.exe	2ORAPNk7URLRiqa3hnDm.exe
PID 3304 wrote to memory of 3536	3304	2ORAPNk7URLRiqa3hnDm.exe	WScript.exe
PID 3304 wrote to memory of 3536	3304	2ORAPNk7URLRiqa3hnDm.exe	WScript.exe
PID 3304 wrote to memory of 3536	3304	2ORAPNk7URLRiqa3hnDm.exe	WScript.exe
PID 3536 wrote to memory of 3512	3536	WScript.exe	cmd.exe
PID 3536 wrote to memory of 3512	3536	WScript.exe	cmd.exe
PID 3536 wrote to memory of 3512	3536	WScript.exe	cmd.exe
PID 3512 wrote to memory of 3848	3512	cmd.exe	reviewruntime.exe
PID 3512 wrote to memory of 3848	3512	cmd.exe	reviewruntime.exe
PID 3848 wrote to memory of 1096	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1096	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1056	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1056	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1244	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1244	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1484	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1484	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1696	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1696	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1948	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 1948	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 2236	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 2236	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 2460	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 2460	3848	reviewruntime.exe	schtasks.exe
PID 3848 wrote to memory of 2516	3848	reviewruntime.exe	fontdrvhost.exe
PID 3848 wrote to memory of 2516	3848	reviewruntime.exe	fontdrvhost.exe
PID 2516 wrote to memory of 2400	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 2400	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 2928	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 2928	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4580	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4580	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4496	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4496	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4708	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4708	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 3836	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 3836	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 3128	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 3128	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 3936	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 3936	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 1860	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 1860	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4400	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4400	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 1468	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 1468	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 2300	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 2300	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4344	2516	fontdrvhost.exe	powershell.exe
PID 2516 wrote to memory of 4344	2516	fontdrvhost.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\7bca80dd5c19443aa59f1e1d32a14986.exe
"C:\Users\Admin\AppData\Local\Temp\7bca80dd5c19443aa59f1e1d32a14986.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\brokernet\tpMDQ4PywPQzcvfRXV4ZglMEfSHxJ6.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\brokernet\pnotGSxdh5CXKZwArEdYL4V4nAwV2V.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\brokernet\2ORAPNk7URLRiqa3hnDm.exe
2ORAPNk7URLRiqa3hnDm.exe -p3429224301224079efb02d13ea4e8140761d094e
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\brokernet\ZIH4iAr0ojQw4M3djezMReyfj8zlug.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\brokernet\ZFrWPPoku5WymlXeSwM2KOsbP5Cd03.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\brokernet\reviewruntime.exe
"C:\brokernet\reviewruntime.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\OfficeClickToRun.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1056

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\brokernet\sppsvc.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1244

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\odt\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\PerfLogs\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:1948

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\odt\svchost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:2236

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:2460

C:\ProgramData\Microsoft OneDrive\setup\fontdrvhost.exe
"C:\ProgramData\Microsoft OneDrive\setup\fontdrvhost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\setup\fontdrvhost.exe
MD5
e14e00f3928c30c1058722868732c8af

SHA1
440fcb1df423c4d99eb0824c35d5dec9f3a772d8

SHA256
3a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712

SHA512
252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3

Download Submit
C:\ProgramData\Microsoft OneDrive\setup\fontdrvhost.exe
MD5
e14e00f3928c30c1058722868732c8af

SHA1
440fcb1df423c4d99eb0824c35d5dec9f3a772d8

SHA256
3a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712

SHA512
252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4896941199c425341b6ecf55955d96af

SHA1
0c8cb4c4042e61ccaa5feae3c28355d4caa3f8ed

SHA256
34b322cfe12128ee16ec94433cb4753ef65872067e9cc66ad5165d26aa0a54ce

SHA512
45d6d8f4c08d7bf04c5463b75c247ce29d9e860f069c99fe55c55a46be8dc040c6ca4c7031204feceef500cb2bf817e5fe814c6d5a4e92f7d057445de4c5000d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4896941199c425341b6ecf55955d96af

SHA1
0c8cb4c4042e61ccaa5feae3c28355d4caa3f8ed

SHA256
34b322cfe12128ee16ec94433cb4753ef65872067e9cc66ad5165d26aa0a54ce

SHA512
45d6d8f4c08d7bf04c5463b75c247ce29d9e860f069c99fe55c55a46be8dc040c6ca4c7031204feceef500cb2bf817e5fe814c6d5a4e92f7d057445de4c5000d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ef33fd64d7b829fb5ae0d9f2c9f26c7

SHA1
cdf85d29a8566aebfe4ca8e2d867506af91dadb9

SHA256
283aca3ad9a9d3bfb347210f8a545a283187ba3137e711e18ff4808fb397eb7e

SHA512
f2f405f480441cdda64fba084fada1127dbf6882f2ffb30cbc9c1bff5e2838176c39c7bdc816aa54dce2bd6e22de00ac75ee38d3dc88b4f4470d0875c2b23aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ef33fd64d7b829fb5ae0d9f2c9f26c7

SHA1
cdf85d29a8566aebfe4ca8e2d867506af91dadb9

SHA256
283aca3ad9a9d3bfb347210f8a545a283187ba3137e711e18ff4808fb397eb7e

SHA512
f2f405f480441cdda64fba084fada1127dbf6882f2ffb30cbc9c1bff5e2838176c39c7bdc816aa54dce2bd6e22de00ac75ee38d3dc88b4f4470d0875c2b23aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ef33fd64d7b829fb5ae0d9f2c9f26c7

SHA1
cdf85d29a8566aebfe4ca8e2d867506af91dadb9

SHA256
283aca3ad9a9d3bfb347210f8a545a283187ba3137e711e18ff4808fb397eb7e

SHA512
f2f405f480441cdda64fba084fada1127dbf6882f2ffb30cbc9c1bff5e2838176c39c7bdc816aa54dce2bd6e22de00ac75ee38d3dc88b4f4470d0875c2b23aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ef33fd64d7b829fb5ae0d9f2c9f26c7

SHA1
cdf85d29a8566aebfe4ca8e2d867506af91dadb9

SHA256
283aca3ad9a9d3bfb347210f8a545a283187ba3137e711e18ff4808fb397eb7e

SHA512
f2f405f480441cdda64fba084fada1127dbf6882f2ffb30cbc9c1bff5e2838176c39c7bdc816aa54dce2bd6e22de00ac75ee38d3dc88b4f4470d0875c2b23aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
199c219314d8bbec42420d2673ed49a0

SHA1
0145e0159bd9be61f1c969b673c4fab3dd4d6399

SHA256
5ed44f38924f05fd2b3bb2da41c4c30d4ff5ec397b2bd85bbe644deb4ef3d29f

SHA512
00ea0c7541b9916011ff2b89937d5f208b387959740f1dcf0e26fe53168c1043f3e04bcf86e3c1806996f070f462520db0306a8bfa5da24e440f5b1b5a344a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
457d9b360d2f6f705a1a39dcf57ef624

SHA1
0329eb96e871081fc97a364e546318bee78e9eec

SHA256
9b9d2e0296ea048de978a4dcdeea7789aef6506966c480ee1c9c8a9172003680

SHA512
71b28c7543831027fe2f960eae0197d8a375f8c3f1a3652eeafccbdc70575beb6e62f0462d3a218308edf36002488ca48fcfc91c8e560485f39db978eca9647c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
40ce60e8fa87c21ab23e41300d39f22a

SHA1
ce0bf688d7d0885654bf66e55b353e25b8c16042

SHA256
62f72a5e12226b4fa86b5b0007ffa3f58c048498d453a666fd4f464ab80b9e1b

SHA512
c72aa0c293fd51fa91cad00f5b1e1150013ae0bb41c02ed13ebb5c7914b85b604bcd55f1626f79d916f9d05be9c27348ec9bc08ad4e17527a79a74e9534af369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
61bfe3aaca0d23041a661c008ef71909

SHA1
b80d05db288ac2dbd48047b05346e6344fcb8bd6

SHA256
ec1b188835fbd5a042a81b01c0305a70771620eda4b2d24fad515b5055b3aca6

SHA512
497234296d9bf943e004e3f55b8158826d337dad1b9b2663856ca795746ccdf5e411cf10b34ada13851005cf84d7c0e09c4494c316ab9598ead38f0cba02b3e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6b52ddca61ba902cc3b72aaa4567b5dd

SHA1
688801fcb8b511ae076d5f5e32f5361f320fa5a8

SHA256
b3ad91095a5475d06b5bbe248bb1438896fc17f4bd1d60d4fac84a0f0773ecda

SHA512
18bb345b525ff90d992d2bb87a66e2a9c34f2ac1707151c72bfe6c7c782a19e3155cb9a3451115247ffaff1a288f56f738334c2739ce25edbe5aafc767d042ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
58c3e6a31c41a2ece99c85f1c1e7f6f5

SHA1
0a82710aa6ab5e47dd6900ed82c4bef0b43f7512

SHA256
a93d01a87c1330b0e3ad8f6819f2f4c5f17454d171b7f62eed9d9bf3aa96f23a

SHA512
813bf48864f0337a9f866ce7528625d39307236f3649aa0c78d4b367b3d49edde77ab826a826c83906c1d598109f8f2c6c7dd3b47062ec29fef352910e6641b0

Download Submit
C:\brokernet\2ORAPNk7URLRiqa3hnDm.exe
MD5
fbf43fe73c7e0d8dcf50dd57096e6b3a

SHA1
6c379a589e9d2e8f9e34d37c2d5a8137747cdc6f

SHA256
3f5110cdc23b3b8f41f8ed7a89be00734d83976b048dbea6fe4c630da07a9a7c

SHA512
7a9b89bd21e003d848d0e10c2e7efffa6280f41f7a1a9bcb15725f8b97100829c544d7bd4220681508ca4a803a92e7a1e15a983c3384d21a85a47ca3621de396

Download Submit
C:\brokernet\2ORAPNk7URLRiqa3hnDm.exe
MD5
fbf43fe73c7e0d8dcf50dd57096e6b3a

SHA1
6c379a589e9d2e8f9e34d37c2d5a8137747cdc6f

SHA256
3f5110cdc23b3b8f41f8ed7a89be00734d83976b048dbea6fe4c630da07a9a7c

SHA512
7a9b89bd21e003d848d0e10c2e7efffa6280f41f7a1a9bcb15725f8b97100829c544d7bd4220681508ca4a803a92e7a1e15a983c3384d21a85a47ca3621de396

Download Submit
C:\brokernet\ZFrWPPoku5WymlXeSwM2KOsbP5Cd03.bat
MD5
15962dfcba62cc2271f937dc297cb0ce

SHA1
dca931246f33ac7b5a6ea4508d6503773a03c189

SHA256
30574fa5d4466b7ae216adc5098a9b6ad89519f83a772b940032dcc45d8cd773

SHA512
8a1637fe9be192a17200bf4ad2971b0fb863aa7947a21e5cee642ff92897decedffd7fbcf0dcbafdbab1752c6304ac4cebd29bea753bcc1e41b7c4ef96f0887a

Download Submit
C:\brokernet\ZIH4iAr0ojQw4M3djezMReyfj8zlug.vbe
MD5
2f3f88038897bc8c67f5d05f264b59b3

SHA1
78e439754137db0c02b773b6e1bee167458aa5f3

SHA256
98f25c4a48c835a8ad6559082e6115924b2ffd2ad96e3917793cc07ae5b7d913

SHA512
3220ce2b65362def3917f6224c5c8284adab791a584ef0d007930034d47fa41068394dbeb947b98913aa9619a6cba195d087d1e6ac34c5c691e00a3e71b39810

Download Submit
C:\brokernet\pnotGSxdh5CXKZwArEdYL4V4nAwV2V.bat
MD5
0f4fbe7d6ac99b88cd9478587f5ed80d

SHA1
ec7964a07c22a5e60927da0268e1884186849722

SHA256
7b875b89c286b6d3c35e38360ec5bfdc6525b860ab87ae3f7ff0f9d6d79e791f

SHA512
a9386b91da6e9e381cf3075f08b9b04fcee80a8db25d4472729b92d7948e0b763135769ba1dd7ed7165b824607438a59ed69a28ecfdb1bb11cd5e0b1c3ad4645

Download Submit
C:\brokernet\reviewruntime.exe
MD5
e14e00f3928c30c1058722868732c8af

SHA1
440fcb1df423c4d99eb0824c35d5dec9f3a772d8

SHA256
3a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712

SHA512
252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3

Download Submit
C:\brokernet\reviewruntime.exe
MD5
e14e00f3928c30c1058722868732c8af

SHA1
440fcb1df423c4d99eb0824c35d5dec9f3a772d8

SHA256
3a84f5d279959b1de1e5eab23b22a0d2dd5b9d011fd0227171f30c97ecdcf712

SHA512
252af7dbe495fdebee9fd8d43039e33dd203f0ae7ccc8b4d8a0873d87c911954edbc5f2aecbc727176136c599f6d63cf764c09cbba5ee6c035e8cfa6e5036fe3

Download Submit
C:\brokernet\tpMDQ4PywPQzcvfRXV4ZglMEfSHxJ6.vbe
MD5
f9e803a994c4758562f5e667be1ca87f

SHA1
9b8af281ac195dbddb570242cd8998862637bd05

SHA256
4a7f8394b61aff5cd341d428a5e94f1bd8f09d194c7d30fc4033d320b821f466

SHA512
4999eb3af7020c801bbcc10b47a37872bda46b5868baba79755dddd9af3d825f96d6d5e372780c38eb1c2d567c4e01b105229cd36d06c8a6c965ca9539fa1320

Download Submit
memory/1056-29-0x0000000000000000-mapping.dmp

Download
memory/1096-28-0x0000000000000000-mapping.dmp

Download
memory/1244-30-0x0000000000000000-mapping.dmp

Download
memory/1468-73-0x0000000000000000-mapping.dmp

Download
memory/1468-78-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/1484-31-0x0000000000000000-mapping.dmp

Download
memory/1696-32-0x0000000000000000-mapping.dmp

Download
memory/1860-65-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-63-0x0000000000000000-mapping.dmp

Download
memory/1948-33-0x0000000000000000-mapping.dmp

Download
memory/2236-34-0x0000000000000000-mapping.dmp

Download
memory/2300-81-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-77-0x0000000000000000-mapping.dmp

Download
memory/2400-47-0x0000026473310000-0x0000026473311000-memory.dmp

Filesize
4KB

Download
memory/2400-46-0x00000264727C0000-0x00000264727C1000-memory.dmp

Filesize
4KB

Download
memory/2400-45-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-44-0x0000000000000000-mapping.dmp

Download
memory/2460-35-0x0000000000000000-mapping.dmp

Download
memory/2516-43-0x000001B19A530000-0x000001B19A531000-memory.dmp

Filesize
4KB

Download
memory/2516-39-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-36-0x0000000000000000-mapping.dmp

Download
memory/2928-48-0x0000000000000000-mapping.dmp

Download
memory/2928-53-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/3084-13-0x0000000000000000-mapping.dmp

Download
memory/3128-57-0x0000000000000000-mapping.dmp

Download
memory/3128-62-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/3304-14-0x0000000000000000-mapping.dmp

Download
memory/3512-20-0x0000000000000000-mapping.dmp

Download
memory/3536-17-0x0000000000000000-mapping.dmp

Download
memory/3560-2-0x0000000000000000-mapping.dmp

Download
memory/3836-59-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/3836-54-0x0000000000000000-mapping.dmp

Download
memory/3848-21-0x0000000000000000-mapping.dmp

Download
memory/3848-24-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/3848-25-0x0000029AA1630000-0x0000029AA1631000-memory.dmp

Filesize
4KB

Download
memory/3848-27-0x0000029AA1BE0000-0x0000029AA1BE1000-memory.dmp

Filesize
4KB

Download
memory/3936-60-0x0000000000000000-mapping.dmp

Download
memory/3936-64-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/4344-80-0x0000000000000000-mapping.dmp

Download
memory/4344-84-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/4400-68-0x0000000000000000-mapping.dmp

Download
memory/4400-72-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/4496-56-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/4496-50-0x0000000000000000-mapping.dmp

Download
memory/4580-55-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/4580-49-0x0000000000000000-mapping.dmp

Download
memory/4644-3-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/4708-58-0x00007FFBDF060000-0x00007FFBDFA4C000-memory.dmp

Filesize
9.9MB

Download
memory/4708-51-0x0000000000000000-mapping.dmp

Download