c765f61cee33c326acc4ea19256267c35129a1ec7edb567fe0b5ed9a88e3d6b1

Analysis

max time kernel
132s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KyrazonGodot.exe
Size

164.7MB
MD5

eeb12aac1ff31a9d17ba437700caf9d6
SHA1

09aedf44e30437be57326c61570be52930b0f001
SHA256

bd4e25e01de9ec86b4b55bde68a59f196ba4ad2f0889f3caf761a6d548027dd5
SHA512

566f12212b7a3ca1ad1184bd0cb6df9552a4600be36fa0c9632681a68c6fea20068a09e160c404ab31468448db10308e6b2c3424515f02e5c25ec7bf2f250f02
SSDEEP

1572864:q3lB0RhDP7igv6wO+HkaN/xtpj56BZWua2T3jC0gqhd07YeRt6C1Bd1jKoUeKtQk:/Pvt1x2z5m1ij

Score

9^/10

credential_access discovery execution spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	KyrazonGodot.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk	Shortcut.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	KyrazonGodot.exe
2808	KyrazonGodot.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
34	discord.com
35	discord.com

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
4908	tasklist.exe
4956	tasklist.exe
4960	tasklist.exe
4356	tasklist.exe
3560	tasklist.exe
4624	tasklist.exe
696	tasklist.exe
2248	tasklist.exe
4344	tasklist.exe
4216	tasklist.exe
2424	tasklist.exe
852	tasklist.exe
1732	tasklist.exe
1680	tasklist.exe
3268	tasklist.exe
536	tasklist.exe
2752	tasklist.exe
4380	tasklist.exe
3512	tasklist.exe
1268	tasklist.exe
1088	tasklist.exe
1144	tasklist.exe
4764	tasklist.exe
2708	tasklist.exe
3912	tasklist.exe
4216	tasklist.exe
4280	tasklist.exe
1972	tasklist.exe
2296	tasklist.exe
1436	tasklist.exe
3656	tasklist.exe
4920	tasklist.exe
3924	tasklist.exe
1528	tasklist.exe
3472	tasklist.exe
3800	tasklist.exe
632	tasklist.exe
1876	tasklist.exe
2424	tasklist.exe
868	tasklist.exe
2344	tasklist.exe
1380	tasklist.exe
5036	tasklist.exe
2800	tasklist.exe
4768	tasklist.exe
1548	tasklist.exe
1892	tasklist.exe
4940	tasklist.exe
3860	tasklist.exe
3676	tasklist.exe
3384	tasklist.exe
5064	tasklist.exe
3612	tasklist.exe
2996	tasklist.exe
3808	tasklist.exe
4044	tasklist.exe
1968	tasklist.exe
1912	tasklist.exe
3772	tasklist.exe
1652	tasklist.exe
2940	tasklist.exe
2896	tasklist.exe
1092	tasklist.exe
1928	tasklist.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3088	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shortcut.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3088	powershell.exe
3088	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeDebugPrivilege	2424	tasklist.exe
Token: SeDebugPrivilege	1912	tasklist.exe
Token: SeDebugPrivilege	1088	tasklist.exe
Token: SeDebugPrivilege	4624	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	4908	tasklist.exe
Token: SeDebugPrivilege	5036	tasklist.exe
Token: SeDebugPrivilege	2296	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	3924	tasklist.exe
Token: SeDebugPrivilege	868	tasklist.exe
Token: SeDebugPrivilege	2752	tasklist.exe
Token: SeDebugPrivilege	3676	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	4380	tasklist.exe
Token: SeDebugPrivilege	3912	tasklist.exe
Token: SeDebugPrivilege	696	tasklist.exe
Token: SeDebugPrivilege	1092	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	852	tasklist.exe
Token: SeDebugPrivilege	2800	tasklist.exe
Token: SeDebugPrivilege	1528	tasklist.exe
Token: SeDebugPrivilege	4956	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	3472	tasklist.exe
Token: SeDebugPrivilege	1928	tasklist.exe
Token: SeDebugPrivilege	1144	tasklist.exe
Token: SeDebugPrivilege	1732	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	3384	tasklist.exe
Token: SeDebugPrivilege	1680	tasklist.exe
Token: SeDebugPrivilege	3512	tasklist.exe
Token: SeDebugPrivilege	4768	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	3800	tasklist.exe
Token: SeDebugPrivilege	4216	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	632	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	1268	tasklist.exe
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	3268	tasklist.exe
Token: SeDebugPrivilege	5064	tasklist.exe
Token: SeDebugPrivilege	4960	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	3612	tasklist.exe
Token: SeDebugPrivilege	4764	tasklist.exe
Token: SeDebugPrivilege	2344	tasklist.exe
Token: SeDebugPrivilege	3808	tasklist.exe
Token: SeShutdownPrivilege	2808	KyrazonGodot.exe
Token: SeCreatePagefilePrivilege	2808	KyrazonGodot.exe
Token: SeDebugPrivilege	1876	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4640	2808	KyrazonGodot.exe	87
PID 2808 wrote to memory of 4416	2808	KyrazonGodot.exe	88
PID 2808 wrote to memory of 4416	2808	KyrazonGodot.exe	88
PID 2808 wrote to memory of 4216	2808	KyrazonGodot.exe	89
PID 2808 wrote to memory of 4216	2808	KyrazonGodot.exe	89
PID 2808 wrote to memory of 4216	2808	KyrazonGodot.exe	89
PID 2808 wrote to memory of 3988	2808	KyrazonGodot.exe	92
PID 2808 wrote to memory of 3988	2808	KyrazonGodot.exe	92
PID 3988 wrote to memory of 2896	3988	cmd.exe	94
PID 3988 wrote to memory of 2896	3988	cmd.exe	94
PID 2808 wrote to memory of 1524	2808	KyrazonGodot.exe	96
PID 2808 wrote to memory of 1524	2808	KyrazonGodot.exe	96
PID 2808 wrote to memory of 2320	2808	KyrazonGodot.exe	97
PID 2808 wrote to memory of 2320	2808	KyrazonGodot.exe	97
PID 2808 wrote to memory of 1752	2808	KyrazonGodot.exe	98
PID 2808 wrote to memory of 1752	2808	KyrazonGodot.exe	98
PID 2808 wrote to memory of 1244	2808	KyrazonGodot.exe	100
PID 2808 wrote to memory of 1244	2808	KyrazonGodot.exe	100
PID 2320 wrote to memory of 2424	2320	cmd.exe	104
PID 2320 wrote to memory of 2424	2320	cmd.exe	104
PID 1752 wrote to memory of 1912	1752	cmd.exe	105
PID 1752 wrote to memory of 1912	1752	cmd.exe	105
PID 1524 wrote to memory of 1088	1524	cmd.exe	106
PID 1524 wrote to memory of 1088	1524	cmd.exe	106
PID 1244 wrote to memory of 2768	1244	cmd.exe	107
PID 1244 wrote to memory of 2768	1244	cmd.exe	107
PID 2808 wrote to memory of 4780	2808	KyrazonGodot.exe	108
PID 2808 wrote to memory of 4780	2808	KyrazonGodot.exe	108
PID 4780 wrote to memory of 4624	4780	cmd.exe	110
PID 4780 wrote to memory of 4624	4780	cmd.exe	110
PID 2808 wrote to memory of 1044	2808	KyrazonGodot.exe	111
PID 2808 wrote to memory of 1044	2808	KyrazonGodot.exe	111
PID 1044 wrote to memory of 4908	1044	cmd.exe	113
PID 1044 wrote to memory of 4908	1044	cmd.exe	113
PID 2808 wrote to memory of 1848	2808	KyrazonGodot.exe	114

C:\Users\Admin\AppData\Local\Temp\KyrazonGodot.exe
"C:\Users\Admin\AppData\Local\Temp\KyrazonGodot.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\KyrazonGodot.exe
  "C:\Users\Admin\AppData\Local\Temp\KyrazonGodot.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\KyrazonGodot" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1680 --field-trial-handle=1684,i,14001658070692689046,9038706090485791093,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\KyrazonGodot.exe
  "C:\Users\Admin\AppData\Local\Temp\KyrazonGodot.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\KyrazonGodot" --mojo-platform-channel-handle=1920 --field-trial-handle=1684,i,14001658070692689046,9038706090485791093,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe
  C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\windows-shortcuts\lib\shortcut\Shortcut.exe /A:C "/F:C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KyrazonGodot.lnk" /T:C:\Users\Admin\AppData\Local\Temp\KyrazonGodot.exe
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . data.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\where.exe
    where /r . data.sqlite
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1848
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:784
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3680
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3096
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4992
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:824
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4408
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3428
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3228
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4960
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4764
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2792
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3504
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2508
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2840
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2500
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3148
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5096
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1524
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1492
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5048
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3120
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4304
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1972
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4516
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2984
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2080
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4616
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2468
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2032
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1496
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2188
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4572
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2684
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3104
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:824
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2172
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2068
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1524
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2096
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Code execution cannot proceed because VCRUNTIME140_1.dll was not found. Reinstalling the program may resolve this issue.', 'System Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Code execution cannot proceed because VCRUNTIME140_1.dll was not found. Reinstalling the program may resolve this issue.', 'System Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f7c0607-a725-41df-b782-c570de19afe6.zip

Filesize
1KB

MD5
e78a9cb3953659d2a0d0d6232793d3da

SHA1
72ac32c6a06b16fc744f01b88d1ac332b49d4ce0

SHA256
48d462bacd795c314dc8a731506b03294e0065cd9f754ae8fc297853eb3d6a6e

SHA512
508dca77dafd8a64b050a1fb1347e67052ac864fcc68b39c785527e527cc431d31baea8848cea46eaaea5b5a0beefd4a187faab05d4d0c926ef54ad5b4864ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b33ab1f-f7ee-4fab-a3f5-150744a4d48f.tmp.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gknk3mgl.lkg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1dfe8c1-6b71-48d5-b4d6-d2860a1f17a4.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
memory/3088-94-0x0000024873C10000-0x0000024873C32000-memory.dmp

Filesize
136KB

Download