umbral | addc8ce8d3585541532d9cd533c3da3e8d301b53fddd37f972051e3838da7abb

Analysis

max time kernel
120s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoostLoader.exe
Size

51KB
MD5

57ea0794f42770a46a04654ba8182e94
SHA1

da89c0fba72bbc97070830e7c82eb5d756cd2870
SHA256

addc8ce8d3585541532d9cd533c3da3e8d301b53fddd37f972051e3838da7abb
SHA512

8143f50f8c049c9c8c038d82ab22b102ce55f2902fdd7e8f0aa82072a56348efd89c675e35b43e634611174f69f0c3b6eb4647987c9e96f56c95a7ea042fe53d
SSDEEP

768:rmry/329e5ew0AsnmYlB7Q/80svMIBhBshszXHj91eL6pucVB+1P09z5:d/Lew0Ak7QbvssCze5Pcz5

Score

10^/10

umbral evasion stealer themida trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1209556025984811048/FntoxASlrfqyFVYWHJOR6g3gwuEED0AVfbHu2PW_kbbNMm_xDWYzkGLyUDSsvwmC1scU

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/memory/1756-111-0x0000000000090000-0x000000000071A000-memory.dmp	family_umbral
behavioral1/memory/1756-112-0x0000000000090000-0x000000000071A000-memory.dmp	family_umbral
behavioral1/memory/1756-115-0x0000000000090000-0x000000000071A000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhostn.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhostn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhostn.exe

Executes dropped EXE 3 IoCs

pid	Process
2968	vcredistj.exe
2840	conhost.exe
1756	taskhostn.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000015ceb-83.dat	themida
behavioral1/files/0x0006000000015ceb-86.dat	themida
behavioral1/memory/1756-111-0x0000000000090000-0x000000000071A000-memory.dmp	themida
behavioral1/memory/1756-112-0x0000000000090000-0x000000000071A000-memory.dmp	themida
behavioral1/memory/1756-115-0x0000000000090000-0x000000000071A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1756	taskhostn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\vcredistj.exe	BoostLoader.exe
File created	C:\Windows\JavaTM_Platform_SE_binary.exe	vcredistj.exe
File created	C:\Windows\taskhostn.exe	vcredistj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

pid	Process
1216	taskkill.exe
1048	taskkill.exe
2136	taskkill.exe
564	taskkill.exe
2828	taskkill.exe
2616	taskkill.exe
2824	taskkill.exe
1020	taskkill.exe
1952	taskkill.exe
1808	taskkill.exe
304	taskkill.exe
2160	taskkill.exe
912	taskkill.exe
1508	taskkill.exe
2564	taskkill.exe
776	taskkill.exe
1400	taskkill.exe
1240	taskkill.exe
2860	taskkill.exe
1616	taskkill.exe
1736	taskkill.exe
2912	taskkill.exe
2484	taskkill.exe
2296	taskkill.exe
912	taskkill.exe
1808	taskkill.exe
2648	taskkill.exe
1804	taskkill.exe
3064	taskkill.exe
2844	taskkill.exe
1372	taskkill.exe
2688	taskkill.exe
2976	taskkill.exe
1628	taskkill.exe
3020	taskkill.exe
1716	taskkill.exe
2828	taskkill.exe
2484	taskkill.exe
620	taskkill.exe
2332	taskkill.exe
1872	taskkill.exe
2448	taskkill.exe
2592	taskkill.exe
1396	taskkill.exe
892	taskkill.exe
2444	taskkill.exe
2424	taskkill.exe
2644	taskkill.exe
2800	taskkill.exe
2400	taskkill.exe
2268	taskkill.exe
556	taskkill.exe
1900	taskkill.exe
1564	taskkill.exe
1628	taskkill.exe
2904	taskkill.exe
1320	taskkill.exe
2788	taskkill.exe
664	taskkill.exe
3020	taskkill.exe
2192	taskkill.exe
2280	taskkill.exe
2548	taskkill.exe
1620	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 52003100000000005658197a100057696e646f7773003c0008000400efbeee3a851a5658197a2a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a003100000000005558506e100054656d700000360008000400efbeee3a881a5558506e2a000000850e0000000001000000000000000000000000000000540065006d007000000014000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	taskmgr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	taskmgr.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	vcredistj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	BoostLoader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	BoostLoader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	BoostLoader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	vcredistj.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	BoostLoader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	840	conhost.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	784	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	312	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	2720	conhost.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	1564	conhost.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	2800	taskkill.exe
Token: SeDebugPrivilege	1952	conhost.exe
Token: SeDebugPrivilege	1144	conhost.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	912	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	2560	taskkill.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe
2296	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2808	2212	BoostLoader.exe	29
PID 2212 wrote to memory of 2808	2212	BoostLoader.exe	29
PID 2212 wrote to memory of 2808	2212	BoostLoader.exe	29
PID 2212 wrote to memory of 2308	2212	BoostLoader.exe	35
PID 2212 wrote to memory of 2308	2212	BoostLoader.exe	35
PID 2212 wrote to memory of 2308	2212	BoostLoader.exe	35
PID 2212 wrote to memory of 2548	2212	BoostLoader.exe	31
PID 2212 wrote to memory of 2548	2212	BoostLoader.exe	31
PID 2212 wrote to memory of 2548	2212	BoostLoader.exe	31
PID 2212 wrote to memory of 2644	2212	BoostLoader.exe	32
PID 2212 wrote to memory of 2644	2212	BoostLoader.exe	32
PID 2212 wrote to memory of 2644	2212	BoostLoader.exe	32
PID 2212 wrote to memory of 2592	2212	BoostLoader.exe	36
PID 2212 wrote to memory of 2592	2212	BoostLoader.exe	36
PID 2212 wrote to memory of 2592	2212	BoostLoader.exe	36
PID 2212 wrote to memory of 2712	2212	BoostLoader.exe	38
PID 2212 wrote to memory of 2712	2212	BoostLoader.exe	38
PID 2212 wrote to memory of 2712	2212	BoostLoader.exe	38
PID 2212 wrote to memory of 2116	2212	BoostLoader.exe	39
PID 2212 wrote to memory of 2116	2212	BoostLoader.exe	39
PID 2212 wrote to memory of 2116	2212	BoostLoader.exe	39
PID 2212 wrote to memory of 2628	2212	BoostLoader.exe	40
PID 2212 wrote to memory of 2628	2212	BoostLoader.exe	40
PID 2212 wrote to memory of 2628	2212	BoostLoader.exe	40
PID 2212 wrote to memory of 2484	2212	BoostLoader.exe	44
PID 2212 wrote to memory of 2484	2212	BoostLoader.exe	44
PID 2212 wrote to memory of 2484	2212	BoostLoader.exe	44
PID 2212 wrote to memory of 2504	2212	BoostLoader.exe	45
PID 2212 wrote to memory of 2504	2212	BoostLoader.exe	45
PID 2212 wrote to memory of 2504	2212	BoostLoader.exe	45
PID 2212 wrote to memory of 2896	2212	BoostLoader.exe	48
PID 2212 wrote to memory of 2896	2212	BoostLoader.exe	48
PID 2212 wrote to memory of 2896	2212	BoostLoader.exe	48
PID 2212 wrote to memory of 912	2212	BoostLoader.exe	52
PID 2212 wrote to memory of 912	2212	BoostLoader.exe	52
PID 2212 wrote to memory of 912	2212	BoostLoader.exe	52
PID 2212 wrote to memory of 1776	2212	BoostLoader.exe	54
PID 2212 wrote to memory of 1776	2212	BoostLoader.exe	54
PID 2212 wrote to memory of 1776	2212	BoostLoader.exe	54
PID 2212 wrote to memory of 448	2212	BoostLoader.exe	56
PID 2212 wrote to memory of 448	2212	BoostLoader.exe	56
PID 2212 wrote to memory of 448	2212	BoostLoader.exe	56
PID 2212 wrote to memory of 2384	2212	BoostLoader.exe	58
PID 2212 wrote to memory of 2384	2212	BoostLoader.exe	58
PID 2212 wrote to memory of 2384	2212	BoostLoader.exe	58
PID 2212 wrote to memory of 828	2212	BoostLoader.exe	60
PID 2212 wrote to memory of 828	2212	BoostLoader.exe	60
PID 2212 wrote to memory of 828	2212	BoostLoader.exe	60
PID 2212 wrote to memory of 1400	2212	BoostLoader.exe	62
PID 2212 wrote to memory of 1400	2212	BoostLoader.exe	62
PID 2212 wrote to memory of 1400	2212	BoostLoader.exe	62
PID 2212 wrote to memory of 1808	2212	BoostLoader.exe	63
PID 2212 wrote to memory of 1808	2212	BoostLoader.exe	63
PID 2212 wrote to memory of 1808	2212	BoostLoader.exe	63
PID 2212 wrote to memory of 1604	2212	BoostLoader.exe	117
PID 2212 wrote to memory of 1604	2212	BoostLoader.exe	117
PID 2212 wrote to memory of 1604	2212	BoostLoader.exe	117
PID 2212 wrote to memory of 1900	2212	BoostLoader.exe	69
PID 2212 wrote to memory of 1900	2212	BoostLoader.exe	69
PID 2212 wrote to memory of 1900	2212	BoostLoader.exe	69
PID 2212 wrote to memory of 2408	2212	BoostLoader.exe	67
PID 2212 wrote to memory of 2408	2212	BoostLoader.exe	67
PID 2212 wrote to memory of 2408	2212	BoostLoader.exe	67
PID 2212 wrote to memory of 2968	2212	BoostLoader.exe	72

C:\Users\Admin\AppData\Local\Temp\BoostLoader.exe
"C:\Users\Admin\AppData\Local\Temp\BoostLoader.exe"
1⤵
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2808
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:1808
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:1604
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\vcredistj.exe
  "C:\Windows\vcredistj.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies system certificate store
  PID:2968
- - C:\Windows\JavaTM_Platform_SE_binary.exe
    "C:\Windows\JavaTM_Platform_SE_binary.exe"
    3⤵
    PID:2840
- - C:\Windows\taskhostn.exe
    "C:\Windows\taskhostn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1756
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2476
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:3020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  PID:2800
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1428
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:1240
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:2988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:2648
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:2720
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:1564
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:1996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:1324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:1144
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:1952
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:2600
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:1584
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:2576
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:2328
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:1768
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:1712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:2484
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:2828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:2400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  PID:620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:2124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:1716
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:1224
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:2860
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:420
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:1400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1064
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:1508
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:664
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:2568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:2460
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2584
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  PID:3020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:2328
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:2332
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:1592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:1684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:304
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:2676
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:2424
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:1148
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:2828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1872
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:1372
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:2252
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:2616
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:956
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:2932
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:2836
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  PID:2556
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:2312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:2772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:848
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:2788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:2192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:1020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  PID:2220
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:1592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:2596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:1656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  PID:1628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:1012
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:1216
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:1748
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:2224
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  PID:956
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2268
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:2448
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:1204
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:2128
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:2688
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:2160
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:2904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:2572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:1048
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:2976
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:3064
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:2824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:2296
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  PID:1020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:2732
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:2860
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:2484
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:2192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:2588
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  PID:1792
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:1616
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:2144
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:1872
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:892
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:2564
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:2136
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:2616
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:2280
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:964
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:2704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:556
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:2152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:2844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:2652
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:1952
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:2572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20640537028935224908081845021370365145-246173779-456352743-20666524192034036224"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20297866112369408668802598711953015926-1982379613-1784969136-14962079191516999712"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "889636650-1990271992746828883-20513906561766293926-199919760373688676154096886"
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13560200001497517274-1984960598-426871050771918081-1109216683-224550644645469721"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1343461747-441737167-1119513134-939593066-537284911233611649-89523586-1739626465"
1⤵
PID:2648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-616424850107166590-577883220-36397994-431572050-501081280-5196477731030070094"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-748514607-412077627173537332-1568909223-14658101515514951276905836522058333551"
1⤵
PID:2600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1743897174-1320648359435685774-11155215861895942248-506927727-1196776610388549883"
1⤵
PID:2584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-337889740-132935901-14789949991818197787-57696715777047905620650777231922075432"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1994612531-1692289417-18206964941717227482-830061827274823237-11571547041408522585"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1958232779-12951124521127430047976900520-661923091-1086137405-1941094731-149822808"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-27809259514125245817118855311071980216-115772713124277869620671951972091203884"
1⤵
PID:1584

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1659809163550869664-756069402-10178003761713213094-1075473031934714958-598985557"
1⤵
PID:2772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "294271394-1830381893-2123353588-1854611767279664185-18452389401260499491170020615"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11539465-242129621-691165402-1755613580-820138347-978779926-124274514-732394236"
1⤵
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "575357993-1607459751408668921-94091139896419297-281794360-860907199-1163844147"
1⤵
PID:664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1971112929385911792-473733318277751750-2134750574535207688-7511043051280903112"
1⤵
PID:2016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15578609632139756234-1998844891608782070-11123758511106625385304215149-940552314"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1751306816295995619-32263340514760514922018027348832324152-1844205629-979080251"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17055138701903780457-1459687961597295069-754293755508275475-1718550061-907616491"
1⤵
PID:3020

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
c72660f6e7ce9103ea02f54c13dc2d19

SHA1
edb93076d708370a68dde1d2eeaddb22a8cd0cc6

SHA256
224a9d5d37d0b54963ce24e47609facff96e9f79ac644941371292970f0cf035

SHA512
028ad4af1ce6ad9c468b3ea1d9c5148c0c904fc11e4c3d878ddb43ba805988b4ef2827c0999da7a06ce08bb244e55366be68e7a2253a83ae3a4caae8f8a4b40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
62b9b82a0b4f607a1c7cb6e75e7fad8d

SHA1
b79f233db00f0da35279ba52be3be0993ef5755a

SHA256
3d53ae890e85b7d6fd6529cede6b08e8513dad180ba13a4a9c3ad146f2bd1e10

SHA512
82c7447bcb06e55bc8c9c3410e7b4d18996f3f9a7aa7c240d0f6c0f91e42c0d68b309d44b36302878f84edc5274612754a1b8063523942c2608785d3a1317987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3669cbd283ff15991b60c3bb6582575

SHA1
92a7981c611c26027211f44b2d4d8e3a4e0f1cae

SHA256
4b2b76488062ae727d187bf601b18865526fc0ac795f435940a6830659f24e65

SHA512
e2802d063b0a768b817653ce414f3df1c0f1e256d560f57af1527da1b4b7a5e73dc90a646a9d51075ee23759f0474149811019faca5d23a7770f1f3ef59794dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6EAD.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EEE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OGXILS8V.txt

Filesize
218B

MD5
a1d78eea5b58a7fd2086957ecb587189

SHA1
323fe617124f2f1c8a80f4244d9f8f8af611bd12

SHA256
ee2f17c274cb8c8c23aa34464a95a4be769c494b986a303bc8ba8f99f84b34b6

SHA512
99cdbe2696392377e6b08b2d4042bb1bd57575ee5efaec30de9bbac26c49d6ebc87f659aaad22778c16ae553cc96d968e1d78d4f77badfa5c1eec5f444a3012f

Download Submit
C:\Windows\JavaTM_Platform_SE_binary.exe

Filesize
317KB

MD5
4892c13258e065e8985bc035b289fae4

SHA1
127e1eef3b8d9a1682f9de800ff34707c506e04f

SHA256
6d6eb7d49aa47a86ac23a027afe3d41f28ae7b480e53b423a78af46752eb51b7

SHA512
1f1e1fe7d3e08ad0e7907965bfb6b168170c29772906c6ddab1fb87ce05a7ea7e187e7b201d625d570e29f2a8e8a277db7fbe012a5960a6f51bf3970f0cc57af

Download Submit
C:\Windows\taskhostn.exe

Filesize
2.5MB

MD5
54b80244bc60400803f41bb74f8eb415

SHA1
cc0216e22ea033e1274fe3cfd89951b5a72af086

SHA256
a38b7c20c280c739543d0025e49b6fd434b5fc359404f3af23e8aef376b03f93

SHA512
92e9ebae2453d87479044d3d131cf62b352252256518ee1a2d58da192324f7bc6f45f6580817fc964a94b1b22c4cfb5c542be3ba9f69e89aba7f51977816f3bd

Download Submit
C:\Windows\taskhostn.exe

Filesize
1.4MB

MD5
8861f102ecf3c276fd027b2716590666

SHA1
ce1e83a5f1889a7ca323bc5afd3f37cb2faf29ce

SHA256
74d82f7916b6892b38a3acd7338877b28627479eb295dcbd8c039eda10096edb

SHA512
dc54438a234e9aa6e86ac42fe112c04ac51251b19788facfd77ddcaa85ae8f2feae79fc4dba4540ebef1068b3170825ee17107835fdca90bbc9df6f3d5ded6c5

Download Submit
C:\Windows\vcredistj.exe

Filesize
23KB

MD5
7d5c4428e37f4ce618c0df1d0d01868b

SHA1
e5b096d07c394f0c485a1ff5673f019e359e6ec4

SHA256
233b51730f8912561652ca8e101afc95714547caa1a4d4165908ddd704a50975

SHA512
af21fa36f8aea30c85c066a939527e146ecdf09e49e16c08a0ac0e34386aa96376962355020826890a420c806ba45c1702c656ae2a492129faeb5461d76d2e7f

Download Submit
memory/1756-99-0x0000000077160000-0x00000000771A7000-memory.dmp

Filesize
284KB

Download
memory/1756-102-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-118-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-87-0x0000000000090000-0x000000000071A000-memory.dmp

Filesize
6.5MB

Download
memory/1756-88-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-94-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-90-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-97-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-98-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-96-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-103-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-109-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-108-0x00000000775C0000-0x00000000775C2000-memory.dmp

Filesize
8KB

Download
memory/1756-107-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-106-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-105-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-104-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-117-0x0000000077160000-0x00000000771A7000-memory.dmp

Filesize
284KB

Download
memory/1756-101-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-100-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-116-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-95-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-92-0x0000000075770000-0x0000000075880000-memory.dmp

Filesize
1.1MB

Download
memory/1756-110-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-111-0x0000000000090000-0x000000000071A000-memory.dmp

Filesize
6.5MB

Download
memory/1756-112-0x0000000000090000-0x000000000071A000-memory.dmp

Filesize
6.5MB

Download
memory/1756-113-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/1756-115-0x0000000000090000-0x000000000071A000-memory.dmp

Filesize
6.5MB

Download
memory/2296-120-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2296-121-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2840-76-0x0000000001320000-0x0000000001372000-memory.dmp

Filesize
328KB

Download
memory/2840-78-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download
memory/2840-77-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

Filesize
9.9MB

Download