remcos | b19df7d566b7e9fa96062f6d99f6b2218af7a702024c3f182fba10739a2516af

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3396 svchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3396	svchost.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3396 set thread context of 736 3396 svchost.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3536 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

228 timeout.exe

description	pid	process	target process
PID 3396 set thread context of 736	3396	svchost.exe	AddInProcess32.exe

pid	process
3536	schtasks.exe

pid	process
228	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exesvchost.exepowershell.exe

pid	process
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
1668	powershell.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
1668	powershell.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe
3396	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

svchost.exe

pid process

3396 svchost.exe

pid	process
3396	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
Token: SeDebugPrivilege	3396	svchost.exe
Token: SeDebugPrivilege	3396	svchost.exe
Token: SeLoadDriverPrivilege	3396	svchost.exe
Token: SeDebugPrivilege	1668	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

736 AddInProcess32.exe

pid	process
736	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 4120 wrote to memory of 1860	4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe	cmd.exe
PID 4120 wrote to memory of 1860	4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe	cmd.exe
PID 4120 wrote to memory of 2648	4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe	cmd.exe
PID 4120 wrote to memory of 2648	4120	4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe	cmd.exe
PID 2648 wrote to memory of 228	2648	cmd.exe	timeout.exe
PID 2648 wrote to memory of 228	2648	cmd.exe	timeout.exe
PID 1860 wrote to memory of 3536	1860	cmd.exe	schtasks.exe
PID 1860 wrote to memory of 3536	1860	cmd.exe	schtasks.exe
PID 2648 wrote to memory of 3396	2648	cmd.exe	svchost.exe
PID 2648 wrote to memory of 3396	2648	cmd.exe	svchost.exe
PID 3396 wrote to memory of 1668	3396	svchost.exe	powershell.exe
PID 3396 wrote to memory of 1668	3396	svchost.exe	powershell.exe
PID 3396 wrote to memory of 4172	3396	svchost.exe	aspnet_wp.exe
PID 3396 wrote to memory of 4172	3396	svchost.exe	aspnet_wp.exe
PID 3396 wrote to memory of 4188	3396	svchost.exe	aspnet_regsql.exe
PID 3396 wrote to memory of 4188	3396	svchost.exe	aspnet_regsql.exe
PID 3396 wrote to memory of 4412	3396	svchost.exe	ilasm.exe
PID 3396 wrote to memory of 4412	3396	svchost.exe	ilasm.exe
PID 3396 wrote to memory of 4660	3396	svchost.exe	EdmGen.exe
PID 3396 wrote to memory of 4660	3396	svchost.exe	EdmGen.exe
PID 3396 wrote to memory of 3840	3396	svchost.exe	vbc.exe
PID 3396 wrote to memory of 3840	3396	svchost.exe	vbc.exe
PID 3396 wrote to memory of 4136	3396	svchost.exe	AddInUtil.exe
PID 3396 wrote to memory of 4136	3396	svchost.exe	AddInUtil.exe
PID 3396 wrote to memory of 384	3396	svchost.exe	mscorsvw.exe
PID 3396 wrote to memory of 384	3396	svchost.exe	mscorsvw.exe
PID 3396 wrote to memory of 2236	3396	svchost.exe	cvtres.exe
PID 3396 wrote to memory of 2236	3396	svchost.exe	cvtres.exe
PID 3396 wrote to memory of 2068	3396	svchost.exe	aspnet_regbrowsers.exe
PID 3396 wrote to memory of 2068	3396	svchost.exe	aspnet_regbrowsers.exe
PID 3396 wrote to memory of 3340	3396	svchost.exe	RegSvcs.exe
PID 3396 wrote to memory of 3340	3396	svchost.exe	RegSvcs.exe
PID 3396 wrote to memory of 4012	3396	svchost.exe	AppLaunch.exe
PID 3396 wrote to memory of 4012	3396	svchost.exe	AppLaunch.exe
PID 3396 wrote to memory of 3972	3396	svchost.exe	Microsoft.Workflow.Compiler.exe
PID 3396 wrote to memory of 3972	3396	svchost.exe	Microsoft.Workflow.Compiler.exe
PID 3396 wrote to memory of 5044	3396	svchost.exe	dfsvc.exe
PID 3396 wrote to memory of 5044	3396	svchost.exe	dfsvc.exe
PID 3396 wrote to memory of 1352	3396	svchost.exe	MSBuild.exe
PID 3396 wrote to memory of 1352	3396	svchost.exe	MSBuild.exe
PID 3396 wrote to memory of 2748	3396	svchost.exe	ServiceModelReg.exe
PID 3396 wrote to memory of 2748	3396	svchost.exe	ServiceModelReg.exe
PID 3396 wrote to memory of 4824	3396	svchost.exe	AddInProcess.exe
PID 3396 wrote to memory of 4824	3396	svchost.exe	AddInProcess.exe
PID 3396 wrote to memory of 4124	3396	svchost.exe	DataSvcUtil.exe
PID 3396 wrote to memory of 4124	3396	svchost.exe	DataSvcUtil.exe
PID 3396 wrote to memory of 1324	3396	svchost.exe	ComSvcConfig.exe
PID 3396 wrote to memory of 1324	3396	svchost.exe	ComSvcConfig.exe
PID 3396 wrote to memory of 2512	3396	svchost.exe	InstallUtil.exe
PID 3396 wrote to memory of 2512	3396	svchost.exe	InstallUtil.exe
PID 3396 wrote to memory of 1072	3396	svchost.exe	aspnet_regiis.exe
PID 3396 wrote to memory of 1072	3396	svchost.exe	aspnet_regiis.exe
PID 3396 wrote to memory of 3768	3396	svchost.exe	SMSvcHost.exe
PID 3396 wrote to memory of 3768	3396	svchost.exe	SMSvcHost.exe
PID 3396 wrote to memory of 1876	3396	svchost.exe	ngentask.exe
PID 3396 wrote to memory of 1876	3396	svchost.exe	ngentask.exe
PID 3396 wrote to memory of 1972	3396	svchost.exe	WsatConfig.exe
PID 3396 wrote to memory of 1972	3396	svchost.exe	WsatConfig.exe
PID 3396 wrote to memory of 3028	3396	svchost.exe	CasPol.exe
PID 3396 wrote to memory of 3028	3396	svchost.exe	CasPol.exe
PID 3396 wrote to memory of 632	3396	svchost.exe	aspnet_state.exe
PID 3396 wrote to memory of 632	3396	svchost.exe	aspnet_state.exe
PID 3396 wrote to memory of 736	3396	svchost.exe	AddInProcess32.exe
PID 3396 wrote to memory of 736	3396	svchost.exe	AddInProcess32.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
"C:\Users\Admin\AppData\Local\Temp\4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp764E.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:228

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Sets service image path in registry
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
4⤵
PID:4172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
4⤵
PID:4188

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
4⤵
PID:4412

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
4⤵
PID:4660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
4⤵
PID:3840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
4⤵
PID:4136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
4⤵
PID:384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
4⤵
PID:3340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
4⤵
PID:4012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
4⤵
PID:2068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
4⤵
PID:2236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
4⤵
PID:3972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
4⤵
PID:5044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
4⤵
PID:1352

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
4⤵
PID:4824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
4⤵
PID:2748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
4⤵
PID:4124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
4⤵
PID:1324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
4⤵
PID:2512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
4⤵
PID:1072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
4⤵
PID:3768

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
4⤵
PID:1876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
4⤵
PID:1972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
4⤵
PID:3028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
4⤵
PID:632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Scripting

T1064

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion