blacknet | b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

Analysis

max time kernel
67s
max time network
122s
platform
windows10_x64
resource
win10v20210410
submitted
01-08-2021 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
Size

117KB
MD5

b72d429d1d690165c7b0de4a074c4a58
SHA1

f0704d227482a80f2f90dab79ed4acd9770fe565
SHA256

b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae
SHA512

f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Score

10^/10

blacknet bot persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
true

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001ab53-395.dat	family_blacknet
behavioral2/files/0x000200000001ab53-394.dat	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x000200000001ab53-395.dat	disable_win_def
behavioral2/files/0x000200000001ab53-394.dat	disable_win_def

Executes dropped EXE 1 IoCs

pid	Process
5788	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
File created	C:\Windows\Microsoft\MyClient\svchosts.exe	WindowsUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3828	5788	WerFault.exe	105

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5816	schtasks.exe
4868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
3224	powershell.exe
3224	powershell.exe
3972	powershell.exe
3972	powershell.exe
3868	powershell.exe
3868	powershell.exe
3224	powershell.exe
3152	powershell.exe
3152	powershell.exe
4128	powershell.exe
4128	powershell.exe
4164	powershell.exe
4164	powershell.exe
4240	powershell.exe
4240	powershell.exe
4308	powershell.exe
4308	powershell.exe
4436	powershell.exe
4436	powershell.exe
4380	powershell.exe
4380	powershell.exe
4556	powershell.exe
4556	powershell.exe
4656	powershell.exe
4656	powershell.exe
3224	powershell.exe
3972	powershell.exe
3868	powershell.exe
3152	powershell.exe
4164	powershell.exe
4128	powershell.exe
4240	powershell.exe
4308	powershell.exe
4436	powershell.exe
4380	powershell.exe
4556	powershell.exe
4656	powershell.exe
3972	powershell.exe
3972	powershell.exe
3868	powershell.exe
3868	powershell.exe
3152	powershell.exe
3152	powershell.exe
4164	powershell.exe
4128	powershell.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeIncreaseQuotaPrivilege	2852	powershell.exe
Token: SeSecurityPrivilege	2852	powershell.exe
Token: SeTakeOwnershipPrivilege	2852	powershell.exe
Token: SeLoadDriverPrivilege	2852	powershell.exe
Token: SeSystemProfilePrivilege	2852	powershell.exe
Token: SeSystemtimePrivilege	2852	powershell.exe
Token: SeProfSingleProcessPrivilege	2852	powershell.exe
Token: SeIncBasePriorityPrivilege	2852	powershell.exe
Token: SeCreatePagefilePrivilege	2852	powershell.exe
Token: SeBackupPrivilege	2852	powershell.exe
Token: SeRestorePrivilege	2852	powershell.exe
Token: SeShutdownPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeSystemEnvironmentPrivilege	2852	powershell.exe
Token: SeRemoteShutdownPrivilege	2852	powershell.exe
Token: SeUndockPrivilege	2852	powershell.exe
Token: SeManageVolumePrivilege	2852	powershell.exe
Token: 33	2852	powershell.exe
Token: 34	2852	powershell.exe
Token: 35	2852	powershell.exe
Token: 36	2852	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	5788	WindowsUpdate.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeIncreaseQuotaPrivilege	3224	powershell.exe
Token: SeSecurityPrivilege	3224	powershell.exe
Token: SeTakeOwnershipPrivilege	3224	powershell.exe
Token: SeLoadDriverPrivilege	3224	powershell.exe
Token: SeSystemProfilePrivilege	3224	powershell.exe
Token: SeSystemtimePrivilege	3224	powershell.exe
Token: SeProfSingleProcessPrivilege	3224	powershell.exe
Token: SeIncBasePriorityPrivilege	3224	powershell.exe
Token: SeCreatePagefilePrivilege	3224	powershell.exe
Token: SeBackupPrivilege	3224	powershell.exe
Token: SeRestorePrivilege	3224	powershell.exe
Token: SeShutdownPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeSystemEnvironmentPrivilege	3224	powershell.exe
Token: SeRemoteShutdownPrivilege	3224	powershell.exe
Token: SeUndockPrivilege	3224	powershell.exe
Token: SeManageVolumePrivilege	3224	powershell.exe
Token: 33	3224	powershell.exe
Token: 34	3224	powershell.exe
Token: 35	3224	powershell.exe
Token: 36	3224	powershell.exe
Token: SeIncreaseQuotaPrivilege	3972	powershell.exe
Token: SeSecurityPrivilege	3972	powershell.exe
Token: SeTakeOwnershipPrivilege	3972	powershell.exe
Token: SeLoadDriverPrivilege	3972	powershell.exe
Token: SeSystemProfilePrivilege	3972	powershell.exe
Token: SeSystemtimePrivilege	3972	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
5788	WindowsUpdate.exe
5788	WindowsUpdate.exe
5788	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2852	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	76
PID 3172 wrote to memory of 2852	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	76
PID 3172 wrote to memory of 3224	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	79
PID 3172 wrote to memory of 3224	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	79
PID 3172 wrote to memory of 3972	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	81
PID 3172 wrote to memory of 3972	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	81
PID 3172 wrote to memory of 3868	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	85
PID 3172 wrote to memory of 3868	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	85
PID 3172 wrote to memory of 3152	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	82
PID 3172 wrote to memory of 3152	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	82
PID 3172 wrote to memory of 4128	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	87
PID 3172 wrote to memory of 4128	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	87
PID 3172 wrote to memory of 4164	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	88
PID 3172 wrote to memory of 4164	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	88
PID 3172 wrote to memory of 4240	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	90
PID 3172 wrote to memory of 4240	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	90
PID 3172 wrote to memory of 4308	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	91
PID 3172 wrote to memory of 4308	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	91
PID 3172 wrote to memory of 4380	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	93
PID 3172 wrote to memory of 4380	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	93
PID 3172 wrote to memory of 4436	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	94
PID 3172 wrote to memory of 4436	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	94
PID 3172 wrote to memory of 4556	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	98
PID 3172 wrote to memory of 4556	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	98
PID 3172 wrote to memory of 4656	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	101
PID 3172 wrote to memory of 4656	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	101
PID 3172 wrote to memory of 4800	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	103
PID 3172 wrote to memory of 4800	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	103
PID 3172 wrote to memory of 5788	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	105
PID 3172 wrote to memory of 5788	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	105
PID 3172 wrote to memory of 5816	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	106
PID 3172 wrote to memory of 5816	3172	b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe	106
PID 5788 wrote to memory of 4668	5788	WindowsUpdate.exe	108
PID 5788 wrote to memory of 4668	5788	WindowsUpdate.exe	108
PID 5788 wrote to memory of 2548	5788	WindowsUpdate.exe	110
PID 5788 wrote to memory of 2548	5788	WindowsUpdate.exe	110
PID 5788 wrote to memory of 5212	5788	WindowsUpdate.exe	112
PID 5788 wrote to memory of 5212	5788	WindowsUpdate.exe	112
PID 5788 wrote to memory of 5320	5788	WindowsUpdate.exe	114
PID 5788 wrote to memory of 5320	5788	WindowsUpdate.exe	114
PID 5788 wrote to memory of 5148	5788	WindowsUpdate.exe	119
PID 5788 wrote to memory of 5148	5788	WindowsUpdate.exe	119
PID 5788 wrote to memory of 5132	5788	WindowsUpdate.exe	116
PID 5788 wrote to memory of 5132	5788	WindowsUpdate.exe	116
PID 5788 wrote to memory of 5504	5788	WindowsUpdate.exe	120
PID 5788 wrote to memory of 5504	5788	WindowsUpdate.exe	120
PID 5788 wrote to memory of 5684	5788	WindowsUpdate.exe	122
PID 5788 wrote to memory of 5684	5788	WindowsUpdate.exe	122
PID 5788 wrote to memory of 5828	5788	WindowsUpdate.exe	124
PID 5788 wrote to memory of 5828	5788	WindowsUpdate.exe	124
PID 5788 wrote to memory of 5948	5788	WindowsUpdate.exe	126
PID 5788 wrote to memory of 5948	5788	WindowsUpdate.exe	126
PID 5788 wrote to memory of 4664	5788	WindowsUpdate.exe	128
PID 5788 wrote to memory of 4664	5788	WindowsUpdate.exe	128
PID 5788 wrote to memory of 5612	5788	WindowsUpdate.exe	130
PID 5788 wrote to memory of 5612	5788	WindowsUpdate.exe	130
PID 5788 wrote to memory of 4532	5788	WindowsUpdate.exe	132
PID 5788 wrote to memory of 4532	5788	WindowsUpdate.exe	132
PID 5788 wrote to memory of 6060	5788	WindowsUpdate.exe	134
PID 5788 wrote to memory of 6060	5788	WindowsUpdate.exe	134
PID 5788 wrote to memory of 4868	5788	WindowsUpdate.exe	136
PID 5788 wrote to memory of 4868	5788	WindowsUpdate.exe	136

C:\Users\Admin\AppData\Local\Temp\b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe
"C:\Users\Admin\AppData\Local\Temp\b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /delete /tn "WindowsUpdate.exe" /f
  2⤵
  PID:4800
- C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
  "C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:5212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:5320
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /delete /tn "WindowsUpdate.exe" /f
    3⤵
    PID:5132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:5148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:5504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:5684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:5828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:5948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:6060
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4868
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5788 -s 1700
    3⤵
    - Program crash
    PID:3828
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:5816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2852-124-0x000001D036C80000-0x000001D036C81000-memory.dmp

Filesize
4KB

Download
memory/2852-132-0x000001D036CB6000-0x000001D036CB8000-memory.dmp

Filesize
8KB

Download
memory/2852-130-0x000001D036CB0000-0x000001D036CB2000-memory.dmp

Filesize
8KB

Download
memory/2852-131-0x000001D036CB3000-0x000001D036CB5000-memory.dmp

Filesize
8KB

Download
memory/2852-127-0x000001D036E40000-0x000001D036E41000-memory.dmp

Filesize
4KB

Download
memory/3152-327-0x0000018657E46000-0x0000018657E48000-memory.dmp

Filesize
8KB

Download
memory/3152-235-0x0000018657E40000-0x0000018657E42000-memory.dmp

Filesize
8KB

Download
memory/3152-237-0x0000018657E43000-0x0000018657E45000-memory.dmp

Filesize
8KB

Download
memory/3172-117-0x000000001AEB3000-0x000000001AEB4000-memory.dmp

Filesize
4KB

Download
memory/3172-324-0x000000001F0FC000-0x000000001F101000-memory.dmp

Filesize
20KB

Download
memory/3172-328-0x000000001F0F3000-0x000000001F0F6000-memory.dmp

Filesize
12KB

Download
memory/3172-354-0x000000001F101000-0x000000001F106000-memory.dmp

Filesize
20KB

Download
memory/3172-114-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3172-118-0x000000001AEB2000-0x000000001AEB3000-memory.dmp

Filesize
4KB

Download
memory/3172-116-0x000000001AEB0000-0x000000001AEB2000-memory.dmp

Filesize
8KB

Download
memory/3172-357-0x000000001AEB8000-0x000000001AEBE000-memory.dmp

Filesize
24KB

Download
memory/3172-325-0x000000001F0F0000-0x000000001F0F3000-memory.dmp

Filesize
12KB

Download
memory/3172-368-0x000000001AEB8000-0x000000001AEBE000-memory.dmp

Filesize
24KB

Download
memory/3172-362-0x000000001AEB8000-0x000000001AEB9000-memory.dmp

Filesize
4KB

Download
memory/3172-293-0x000000001AEB5000-0x000000001AEB7000-memory.dmp

Filesize
8KB

Download
memory/3172-316-0x000000001AEB7000-0x000000001AEB8000-memory.dmp

Filesize
4KB

Download
memory/3172-317-0x000000001F0F6000-0x000000001F0F9000-memory.dmp

Filesize
12KB

Download
memory/3172-318-0x000000001AEB8000-0x000000001AEBA000-memory.dmp

Filesize
8KB

Download
memory/3172-320-0x000000001AEBA000-0x000000001AEBF000-memory.dmp

Filesize
20KB

Download
memory/3172-322-0x000000001F0F9000-0x000000001F0FC000-memory.dmp

Filesize
12KB

Download
memory/3224-287-0x00000212FDA86000-0x00000212FDA88000-memory.dmp

Filesize
8KB

Download
memory/3224-173-0x00000212FDA83000-0x00000212FDA85000-memory.dmp

Filesize
8KB

Download
memory/3224-618-0x00000212FDA88000-0x00000212FDA89000-memory.dmp

Filesize
4KB

Download
memory/3224-169-0x00000212FDA80000-0x00000212FDA82000-memory.dmp

Filesize
8KB

Download
memory/3868-221-0x00000295F5560000-0x00000295F5562000-memory.dmp

Filesize
8KB

Download
memory/3868-628-0x00000295F5568000-0x00000295F5569000-memory.dmp

Filesize
4KB

Download
memory/3868-234-0x00000295F5563000-0x00000295F5565000-memory.dmp

Filesize
8KB

Download
memory/3868-329-0x00000295F5566000-0x00000295F5568000-memory.dmp

Filesize
8KB

Download
memory/3972-214-0x00000219A1450000-0x00000219A1452000-memory.dmp

Filesize
8KB

Download
memory/3972-619-0x00000219A1458000-0x00000219A1459000-memory.dmp

Filesize
4KB

Download
memory/3972-218-0x00000219A1453000-0x00000219A1455000-memory.dmp

Filesize
8KB

Download
memory/3972-326-0x00000219A1456000-0x00000219A1458000-memory.dmp

Filesize
8KB

Download
memory/4128-240-0x00000183788D3000-0x00000183788D5000-memory.dmp

Filesize
8KB

Download
memory/4128-239-0x00000183788D0000-0x00000183788D2000-memory.dmp

Filesize
8KB

Download
memory/4128-319-0x00000183788D6000-0x00000183788D8000-memory.dmp

Filesize
8KB

Download
memory/4164-244-0x00000204E4613000-0x00000204E4615000-memory.dmp

Filesize
8KB

Download
memory/4164-321-0x00000204E4616000-0x00000204E4618000-memory.dmp

Filesize
8KB

Download
memory/4164-242-0x00000204E4610000-0x00000204E4612000-memory.dmp

Filesize
8KB

Download
memory/4240-245-0x000002E00E130000-0x000002E00E132000-memory.dmp

Filesize
8KB

Download
memory/4240-247-0x000002E00E133000-0x000002E00E135000-memory.dmp

Filesize
8KB

Download
memory/4240-323-0x000002E00E136000-0x000002E00E138000-memory.dmp

Filesize
8KB

Download
memory/4308-410-0x0000015CA6516000-0x0000015CA6518000-memory.dmp

Filesize
8KB

Download
memory/4308-249-0x0000015CA6510000-0x0000015CA6512000-memory.dmp

Filesize
8KB

Download
memory/4308-251-0x0000015CA6513000-0x0000015CA6515000-memory.dmp

Filesize
8KB

Download
memory/4380-256-0x0000021FFE603000-0x0000021FFE605000-memory.dmp

Filesize
8KB

Download
memory/4380-255-0x0000021FFE600000-0x0000021FFE602000-memory.dmp

Filesize
8KB

Download
memory/4380-509-0x0000021FFE606000-0x0000021FFE608000-memory.dmp

Filesize
8KB

Download
memory/4436-254-0x0000018AC39D3000-0x0000018AC39D5000-memory.dmp

Filesize
8KB

Download
memory/4436-253-0x0000018AC39D0000-0x0000018AC39D2000-memory.dmp

Filesize
8KB

Download
memory/4436-461-0x0000018AC39D6000-0x0000018AC39D8000-memory.dmp

Filesize
8KB

Download
memory/4556-230-0x000001981BF93000-0x000001981BF95000-memory.dmp

Filesize
8KB

Download
memory/4556-513-0x000001981BF96000-0x000001981BF98000-memory.dmp

Filesize
8KB

Download
memory/4556-224-0x000001981BF90000-0x000001981BF92000-memory.dmp

Filesize
8KB

Download
memory/4656-227-0x000001BC58B50000-0x000001BC58B52000-memory.dmp

Filesize
8KB

Download
memory/4656-523-0x000001BC58B56000-0x000001BC58B58000-memory.dmp

Filesize
8KB

Download
memory/4656-231-0x000001BC58B53000-0x000001BC58B55000-memory.dmp

Filesize
8KB

Download
memory/4668-617-0x00000212B9786000-0x00000212B9788000-memory.dmp

Filesize
8KB

Download
memory/4668-516-0x00000212B9780000-0x00000212B9782000-memory.dmp

Filesize
8KB

Download
memory/4668-519-0x00000212B9783000-0x00000212B9785000-memory.dmp

Filesize
8KB

Download
memory/5788-465-0x000000001B012000-0x000000001B013000-memory.dmp

Filesize
4KB

Download
memory/5788-459-0x000000001B013000-0x000000001B014000-memory.dmp

Filesize
4KB

Download
memory/5788-415-0x000000001B010000-0x000000001B012000-memory.dmp

Filesize
8KB

Download