umbral | addc8ce8d3585541532d9cd533c3da3e8d301b53fddd37f972051e3838da7abb

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoostLoader.exe
Size

51KB
MD5

57ea0794f42770a46a04654ba8182e94
SHA1

da89c0fba72bbc97070830e7c82eb5d756cd2870
SHA256

addc8ce8d3585541532d9cd533c3da3e8d301b53fddd37f972051e3838da7abb
SHA512

8143f50f8c049c9c8c038d82ab22b102ce55f2902fdd7e8f0aa82072a56348efd89c675e35b43e634611174f69f0c3b6eb4647987c9e96f56c95a7ea042fe53d
SSDEEP

768:rmry/329e5ew0AsnmYlB7Q/80svMIBhBshszXHj91eL6pucVB+1P09z5:d/Lew0Ak7QbvssCze5Pcz5

Score

10^/10

umbral evasion stealer themida trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1209556025984811048/FntoxASlrfqyFVYWHJOR6g3gwuEED0AVfbHu2PW_kbbNMm_xDWYzkGLyUDSsvwmC1scU

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral2/memory/1844-70-0x0000000000AC0000-0x000000000114A000-memory.dmp	family_umbral
behavioral2/memory/1844-71-0x0000000000AC0000-0x000000000114A000-memory.dmp	family_umbral
behavioral2/memory/1844-76-0x0000000000AC0000-0x000000000114A000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhostn.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhostn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhostn.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	BoostLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	vcredistj.exe

Executes dropped EXE 3 IoCs

pid	Process
2588	vcredistj.exe
4408	taskkill.exe
1844	taskhostn.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x00060000000231f9-43.dat	themida
behavioral2/files/0x00060000000231f9-54.dat	themida
behavioral2/files/0x00060000000231f9-57.dat	themida
behavioral2/memory/1844-70-0x0000000000AC0000-0x000000000114A000-memory.dmp	themida
behavioral2/memory/1844-71-0x0000000000AC0000-0x000000000114A000-memory.dmp	themida
behavioral2/memory/1844-76-0x0000000000AC0000-0x000000000114A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1844	taskhostn.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\vcredistj.exe	BoostLoader.exe
File created	C:\Windows\JavaTM_Platform_SE_binary.exe	vcredistj.exe
File created	C:\Windows\taskhostn.exe	vcredistj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2664	taskkill.exe
1284	taskkill.exe
2944	taskkill.exe
3348	taskkill.exe
3924	taskkill.exe
4168	taskkill.exe
4908	taskkill.exe
3020	taskkill.exe
4752	taskkill.exe
1416	taskkill.exe
2776	taskkill.exe
4156	taskkill.exe
4392	taskkill.exe
3036	taskkill.exe
2976	taskkill.exe
212	taskkill.exe
4500	taskkill.exe
1996	taskkill.exe
1908	taskkill.exe
920	taskkill.exe
3776	taskkill.exe
2752	taskkill.exe
4716	taskkill.exe
3884	taskkill.exe
436	taskkill.exe
5072	taskkill.exe
4540	taskkill.exe
740	taskkill.exe
3256	taskkill.exe
3384	taskkill.exe
1920	taskkill.exe
3280	taskkill.exe
2132	taskkill.exe
2832	taskkill.exe
3124	taskkill.exe
3152	taskkill.exe
704	taskkill.exe
2116	taskkill.exe
4400	taskkill.exe
3636	taskkill.exe
4744	taskkill.exe
2120	taskkill.exe
4240	taskkill.exe
1620	taskkill.exe
4060	taskkill.exe
4228	taskkill.exe
1920	taskkill.exe
4456	taskkill.exe
3596	taskkill.exe
3084	taskkill.exe
4736	taskkill.exe
4264	taskkill.exe
3812	taskkill.exe
2040	taskkill.exe
4412	taskkill.exe
1748	taskkill.exe
2452	taskkill.exe
3356	taskkill.exe
1376	taskkill.exe
2752	taskkill.exe
3272	taskkill.exe
2452	taskkill.exe
2388	taskkill.exe
4592	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4492	BoostLoader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	4716	taskkill.exe
Token: SeDebugPrivilege	4340	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	3256	cmd.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	4156	Conhost.exe
Token: SeDebugPrivilege	4264	Conhost.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	1400	taskkill.exe
Token: SeDebugPrivilege	3272	taskkill.exe
Token: SeDebugPrivilege	1908	Conhost.exe
Token: SeDebugPrivilege	212	cmd.exe
Token: SeDebugPrivilege	4392	Conhost.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	3812	Conhost.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	1844	taskhostn.exe
Token: SeDebugPrivilege	3596	Conhost.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	3084	taskkill.exe
Token: SeDebugPrivilege	4168	Conhost.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeIncreaseQuotaPrivilege	740	taskkill.exe
Token: SeSecurityPrivilege	740	taskkill.exe
Token: SeTakeOwnershipPrivilege	740	taskkill.exe
Token: SeLoadDriverPrivilege	740	taskkill.exe
Token: SeSystemProfilePrivilege	740	taskkill.exe
Token: SeSystemtimePrivilege	740	taskkill.exe
Token: SeProfSingleProcessPrivilege	740	taskkill.exe
Token: SeIncBasePriorityPrivilege	740	taskkill.exe
Token: SeCreatePagefilePrivilege	740	taskkill.exe
Token: SeBackupPrivilege	740	taskkill.exe
Token: SeRestorePrivilege	740	taskkill.exe
Token: SeShutdownPrivilege	740	taskkill.exe
Token: SeDebugPrivilege	740	taskkill.exe
Token: SeSystemEnvironmentPrivilege	740	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe
2852	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2852	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3812	4492	BoostLoader.exe	99
PID 4492 wrote to memory of 3812	4492	BoostLoader.exe	99
PID 4492 wrote to memory of 1276	4492	BoostLoader.exe	100
PID 4492 wrote to memory of 1276	4492	BoostLoader.exe	100
PID 4492 wrote to memory of 1124	4492	BoostLoader.exe	102
PID 4492 wrote to memory of 1124	4492	BoostLoader.exe	102
PID 4492 wrote to memory of 4168	4492	BoostLoader.exe	103
PID 4492 wrote to memory of 4168	4492	BoostLoader.exe	103
PID 4492 wrote to memory of 3636	4492	BoostLoader.exe	104
PID 4492 wrote to memory of 3636	4492	BoostLoader.exe	104
PID 4492 wrote to memory of 704	4492	BoostLoader.exe	109
PID 4492 wrote to memory of 704	4492	BoostLoader.exe	109
PID 4492 wrote to memory of 2664	4492	BoostLoader.exe	110
PID 4492 wrote to memory of 2664	4492	BoostLoader.exe	110
PID 4492 wrote to memory of 2432	4492	BoostLoader.exe	112
PID 4492 wrote to memory of 2432	4492	BoostLoader.exe	112
PID 4492 wrote to memory of 4716	4492	BoostLoader.exe	114
PID 4492 wrote to memory of 4716	4492	BoostLoader.exe	114
PID 4492 wrote to memory of 4340	4492	BoostLoader.exe	116
PID 4492 wrote to memory of 4340	4492	BoostLoader.exe	116
PID 4492 wrote to memory of 5032	4492	BoostLoader.exe	118
PID 4492 wrote to memory of 5032	4492	BoostLoader.exe	118
PID 4492 wrote to memory of 2588	4492	BoostLoader.exe	120
PID 4492 wrote to memory of 2588	4492	BoostLoader.exe	120
PID 4492 wrote to memory of 1272	4492	BoostLoader.exe	121
PID 4492 wrote to memory of 1272	4492	BoostLoader.exe	121
PID 4492 wrote to memory of 2704	4492	BoostLoader.exe	123
PID 4492 wrote to memory of 2704	4492	BoostLoader.exe	123
PID 4492 wrote to memory of 2452	4492	BoostLoader.exe	125
PID 4492 wrote to memory of 2452	4492	BoostLoader.exe	125
PID 4492 wrote to memory of 3256	4492	BoostLoader.exe	170
PID 4492 wrote to memory of 3256	4492	BoostLoader.exe	170
PID 4492 wrote to memory of 4592	4492	BoostLoader.exe	129
PID 4492 wrote to memory of 4592	4492	BoostLoader.exe	129
PID 4492 wrote to memory of 4908	4492	BoostLoader.exe	131
PID 4492 wrote to memory of 4908	4492	BoostLoader.exe	131
PID 4492 wrote to memory of 2776	4492	BoostLoader.exe	133
PID 4492 wrote to memory of 2776	4492	BoostLoader.exe	133
PID 4492 wrote to memory of 552	4492	BoostLoader.exe	135
PID 4492 wrote to memory of 552	4492	BoostLoader.exe	135
PID 4492 wrote to memory of 3884	4492	BoostLoader.exe	138
PID 4492 wrote to memory of 3884	4492	BoostLoader.exe	138
PID 4492 wrote to memory of 1804	4492	BoostLoader.exe	139
PID 4492 wrote to memory of 1804	4492	BoostLoader.exe	139
PID 2588 wrote to memory of 4408	2588	vcredistj.exe	277
PID 2588 wrote to memory of 4408	2588	vcredistj.exe	277
PID 4492 wrote to memory of 1340	4492	BoostLoader.exe	142
PID 4492 wrote to memory of 1340	4492	BoostLoader.exe	142
PID 4492 wrote to memory of 1748	4492	BoostLoader.exe	283
PID 4492 wrote to memory of 1748	4492	BoostLoader.exe	283
PID 4492 wrote to memory of 1376	4492	BoostLoader.exe	147
PID 4492 wrote to memory of 1376	4492	BoostLoader.exe	147
PID 4492 wrote to memory of 652	4492	BoostLoader.exe	148
PID 4492 wrote to memory of 652	4492	BoostLoader.exe	148
PID 4492 wrote to memory of 2752	4492	BoostLoader.exe	335
PID 4492 wrote to memory of 2752	4492	BoostLoader.exe	335
PID 4492 wrote to memory of 1488	4492	BoostLoader.exe	152
PID 4492 wrote to memory of 1488	4492	BoostLoader.exe	152
PID 4492 wrote to memory of 4744	4492	BoostLoader.exe	155
PID 4492 wrote to memory of 4744	4492	BoostLoader.exe	155
PID 2588 wrote to memory of 1844	2588	vcredistj.exe	154
PID 2588 wrote to memory of 1844	2588	vcredistj.exe	154
PID 2588 wrote to memory of 1844	2588	vcredistj.exe	154
PID 4492 wrote to memory of 1920	4492	BoostLoader.exe	295

C:\Users\Admin\AppData\Local\Temp\BoostLoader.exe
"C:\Users\Admin\AppData\Local\Temp\BoostLoader.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3812
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\vcredistj.exe
  "C:\Windows\vcredistj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\JavaTM_Platform_SE_binary.exe
    "C:\Windows\JavaTM_Platform_SE_binary.exe"
    3⤵
    PID:4408
- - C:\Windows\taskhostn.exe
    "C:\Windows\taskhostn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:3256
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:1748
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  PID:2752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:1920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:4156
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1096
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Kills process with taskkill
  PID:1908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:212
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:3812
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:3596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:4168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:4500
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  PID:984
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:4832
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:4420
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:2116
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:4736
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:3592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:5016
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:5092
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:2040
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:3124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:2944
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:1548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:748
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:4168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:4400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:3384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:1312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:1920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:3872
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  PID:3840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:2736
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:1944
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:4280
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:3280
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:3348
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:2132
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:1368
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:2120
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:5072
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:1276
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  PID:4432
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  PID:1748
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:3340
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:3776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:3036
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:380
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:2928
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:1512
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:2452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:2976
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:4240
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  - Kills process with taskkill
  PID:1620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:4752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:1996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:4948
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  PID:460
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  PID:4060
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:5060
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  - Kills process with taskkill
  PID:4540
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:3152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:3356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:4316
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:4228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM SecHealthUI.exe
  2⤵
  - Kills process with taskkill
  PID:3924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM Taskmgr.exe
  2⤵
  PID:2284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ProcessHacker.exe
  2⤵
  - Kills process with taskkill
  PID:4412
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM uihost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM servicehost.exe
  2⤵
  PID:4440
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM ModuleCoreService.exe
  2⤵
  PID:3816
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-web-view.exe
  2⤵
  - Kills process with taskkill
  PID:2832
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-neo-host.exe
  2⤵
  - Kills process with taskkill
  PID:2388
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mc-fw-host.exe
  2⤵
  PID:380
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /IM mcapexe.exe
  2⤵
  - Kills process with taskkill
  PID:1416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
c72660f6e7ce9103ea02f54c13dc2d19

SHA1
edb93076d708370a68dde1d2eeaddb22a8cd0cc6

SHA256
224a9d5d37d0b54963ce24e47609facff96e9f79ac644941371292970f0cf035

SHA512
028ad4af1ce6ad9c468b3ea1d9c5148c0c904fc11e4c3d878ddb43ba805988b4ef2827c0999da7a06ce08bb244e55366be68e7a2253a83ae3a4caae8f8a4b40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
8185b57b5d3bec25f258742c5e00dba3

SHA1
f16bbdf9684b2b3f8b88f0b8edbce5472fa1099c

SHA256
a7e0895bdb2b1804974707142dd537d3ee7dd4843194a7de919aeb6d68813828

SHA512
21125442cf26d163f3ed29dc0ae38dce02098a72955e13570ad48228b6d685f11788cab8ce7a6dcfbd39bf2b145e4f40c7d5647949b110142374c62f1fa029a9

Download Submit
C:\Windows\JavaTM_Platform_SE_binary.exe

Filesize
317KB

MD5
4892c13258e065e8985bc035b289fae4

SHA1
127e1eef3b8d9a1682f9de800ff34707c506e04f

SHA256
6d6eb7d49aa47a86ac23a027afe3d41f28ae7b480e53b423a78af46752eb51b7

SHA512
1f1e1fe7d3e08ad0e7907965bfb6b168170c29772906c6ddab1fb87ce05a7ea7e187e7b201d625d570e29f2a8e8a277db7fbe012a5960a6f51bf3970f0cc57af

Download Submit
C:\Windows\taskhostn.exe

Filesize
1.7MB

MD5
6202347934f4a7e633f7df2ed869d874

SHA1
a07647bbdc40651b21035dbf2f323406aebd70ee

SHA256
38aec0d7139f90821d4c3fdf056674f3c0294c3684b83efecbefffd8a4f27a05

SHA512
654f1db9c333da5b50d1a1e702959e71fa7c895bd0c88afab0d21bc79b36007ea21ea824d725920b5b00d0032a37c0c65e2c005529f16120a1118db370d1958b

Download Submit
C:\Windows\taskhostn.exe

Filesize
1.8MB

MD5
86503eee1eb46f1d6a06774df1c04bcf

SHA1
ea59efc3e70d013a3bc988bb88389b6b7ebed1ad

SHA256
2c26772c2e802cfac6707f01b002597bc8112f0dcbfa27a4b72c61b8fcc09303

SHA512
459b8e0ce6405d5af559edcb05054e79eed58c079f27fe242e6f9699a06308ee56654eef896b97d78083034f677004da034f18075fd9e8894c47b2d826126dd7

Download Submit
C:\Windows\taskhostn.exe

Filesize
832KB

MD5
69edd3cf5119c38331e79a9edd6b3c16

SHA1
20227c8eaf0c56726c49bd455acca251b38788ae

SHA256
88d5c21f4213d9be6d4704880622091a721c3232b3a45df34cc7720fb66ad01a

SHA512
5179a92f33a6f5be645d6e3d93c51e0d6972c0ed204afb2bac663ef21fae0cb221ed3b9b48d3c078b9f0aa5809c1502825b14b6e119ed4aae374943e434ff372

Download Submit
C:\Windows\vcredistj.exe

Filesize
23KB

MD5
7d5c4428e37f4ce618c0df1d0d01868b

SHA1
e5b096d07c394f0c485a1ff5673f019e359e6ec4

SHA256
233b51730f8912561652ca8e101afc95714547caa1a4d4165908ddd704a50975

SHA512
af21fa36f8aea30c85c066a939527e146ecdf09e49e16c08a0ac0e34386aa96376962355020826890a420c806ba45c1702c656ae2a492129faeb5461d76d2e7f

Download Submit
memory/1844-65-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-72-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/1844-58-0x0000000000AC0000-0x000000000114A000-memory.dmp

Filesize
6.5MB

Download
memory/1844-77-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-59-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-60-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-61-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-62-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-63-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-64-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-66-0x0000000075DB0000-0x0000000075EA0000-memory.dmp

Filesize
960KB

Download
memory/1844-76-0x0000000000AC0000-0x000000000114A000-memory.dmp

Filesize
6.5MB

Download
memory/1844-67-0x0000000077E84000-0x0000000077E86000-memory.dmp

Filesize
8KB

Download
memory/1844-70-0x0000000000AC0000-0x000000000114A000-memory.dmp

Filesize
6.5MB

Download
memory/1844-71-0x0000000000AC0000-0x000000000114A000-memory.dmp

Filesize
6.5MB

Download
memory/1844-73-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/2852-89-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-83-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-84-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-85-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-90-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-93-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-92-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-91-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-94-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/2852-95-0x000001F7224D0000-0x000001F7224D1000-memory.dmp

Filesize
4KB

Download
memory/4408-35-0x0000000000E90000-0x0000000000EE2000-memory.dmp

Filesize
328KB

Download
memory/4408-36-0x00007FF848DA0000-0x00007FF849861000-memory.dmp

Filesize
10.8MB

Download
memory/4408-38-0x00007FF848DA0000-0x00007FF849861000-memory.dmp

Filesize
10.8MB

Download