xworm | 503460c51a5c10fab8e05af5de5f531ec0b1e3c0f9fb69ff8465fae1c9e24ab5

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crypted.exe
Size

20.7MB
MD5

72201d2a8b18860b045bcf0df33ea846
SHA1

8c0c7854825a09de4766b8dc0732e900af19f27c
SHA256

503460c51a5c10fab8e05af5de5f531ec0b1e3c0f9fb69ff8465fae1c9e24ab5
SHA512

85aa2e1a06b8b6e0500e6ea2cb1718f1f2b34032102d67ba807218dc879d5c2186dbf34ace25d248fda5842644d40b784cc3a2275b5bf8eaf412cead2547dd5d
SSDEEP

393216:gsgRSfpBBhJE7YBAQ4T/u1xIne6xwnL848nVcdIFrp2lAqeQ7USb:jgRU/i7l7T/Xe18rVcdNATI

Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

find-rubber.gl.at.ply.gg:5426

Mutex

CRQoPEkBWWzMBNPO

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\GoogleUpdate.exe	family_xworm
behavioral1/memory/2908-131-0x0000000000B40000-0x0000000000B52000-memory.dmp	family_xworm
behavioral1/memory/1424-1978-0x0000000001080000-0x0000000001092000-memory.dmp	family_xworm
behavioral1/memory/648-1995-0x00000000003A0000-0x00000000003B2000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

Update.exeupdater.exe

description	pid	process	target process
PID 328 created 1184	328	Update.exe	Explorer.EXE
PID 328 created 1184	328	Update.exe	Explorer.EXE
PID 1576 created 1184	1576	updater.exe	Explorer.EXE
PID 1576 created 1184	1576	updater.exe	Explorer.EXE

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

764 powershell.exe
1860 powershell.exe
1968 powershell.exe
1256 powershell.exe
3044 powershell.exe
3068 powershell.exe

pid	process
764	powershell.exe
1860	powershell.exe
1968	powershell.exe
1256	powershell.exe
3044	powershell.exe
3068	powershell.exe

Drops startup file 2 IoCs

Processes:

GoogleUpdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemuser.lnk	GoogleUpdate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemuser.lnk	GoogleUpdate.exe

Executes dropped EXE 9 IoCs

Processes:

GoogIeUpdate.exeGoogleUpdate.exeSystemUser.exeUpdate.exeGoogIeUpdate.exeExplorer.EXEupdater.exesystemusersystemuser

pid	process
1900	GoogIeUpdate.exe
2908	GoogleUpdate.exe
2384	SystemUser.exe
328	Update.exe
2892	GoogIeUpdate.exe
1184	Explorer.EXE
1576	updater.exe
1424	systemuser
648	systemuser

Loads dropped DLL 7 IoCs

Processes:

crypted.exeSystemUser.exeGoogIeUpdate.exetaskeng.exe

pid process

2812 crypted.exe
2812 crypted.exe
2812 crypted.exe
2812 crypted.exe
2384 SystemUser.exe
2892 GoogIeUpdate.exe
1676 taskeng.exe

pid	process
2812	crypted.exe
2812	crypted.exe
2812	crypted.exe
2812	crypted.exe
2384	SystemUser.exe
2892	GoogIeUpdate.exe
1676	taskeng.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GoogleUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemuser = "C:\\Users\\Admin\\AppData\\Roaming\\systemuser"	GoogleUpdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
8 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

flow	ioc
4	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
1552	tasklist.exe
2524	tasklist.exe
1500	tasklist.exe
1176	tasklist.exe
2784	tasklist.exe
2224	tasklist.exe
2288	tasklist.exe
2292	tasklist.exe
2784	tasklist.exe
2716	tasklist.exe
2780	tasklist.exe
2144	tasklist.exe
1620	tasklist.exe
3060	tasklist.exe
1976	tasklist.exe
2892	tasklist.exe
1708	tasklist.exe
1544	tasklist.exe
3064	tasklist.exe
2728	tasklist.exe
2480	tasklist.exe
792	tasklist.exe
2748	tasklist.exe
876	tasklist.exe
2308	tasklist.exe
492	tasklist.exe
928	tasklist.exe
1416	tasklist.exe
2088	tasklist.exe
2696	tasklist.exe
2808	tasklist.exe
2200	tasklist.exe
2436	tasklist.exe
1628	tasklist.exe
2200	tasklist.exe
2240	tasklist.exe
112	tasklist.exe
2904	tasklist.exe
2768	tasklist.exe
2604	tasklist.exe
672	tasklist.exe
2340	tasklist.exe
1596	tasklist.exe
2828	tasklist.exe
2396	tasklist.exe
648	tasklist.exe
776	tasklist.exe
320	tasklist.exe
2288	tasklist.exe
2824	tasklist.exe
2080	tasklist.exe
1908	tasklist.exe
2876	tasklist.exe
1888	tasklist.exe
2408	tasklist.exe
2496	tasklist.exe
2824	tasklist.exe
1144	tasklist.exe
2764	tasklist.exe
1356	tasklist.exe
2368	tasklist.exe
2548	tasklist.exe
2432	tasklist.exe
1208	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updater.exe

description pid process target process

PID 1576 set thread context of 1004 1576 updater.exe conhost.exe

description	pid	process	target process
PID 1576 set thread context of 1004	1576	updater.exe	conhost.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

340 2812 WerFault.exe crypted.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

crypted.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted.exe

pid	pid_target	process	target process
340	2812	WerFault.exe	crypted.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe

Delays execution with timeout.exe 64 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1208	timeout.exe
2464	timeout.exe
836	timeout.exe
684	timeout.exe
2056	timeout.exe
2852	timeout.exe
948	timeout.exe
2200	timeout.exe
2784	timeout.exe
2608	timeout.exe
3020	timeout.exe
2932	timeout.exe
2992	timeout.exe
2768	timeout.exe
2252	timeout.exe
2096	timeout.exe
2356	timeout.exe
2192	timeout.exe
2376	timeout.exe
2724	timeout.exe
2664	timeout.exe
2952	timeout.exe
1912	timeout.exe
3020	timeout.exe
1708	timeout.exe
2136	timeout.exe
1840	timeout.exe
1740	timeout.exe
2788	timeout.exe
2512	timeout.exe
2604	timeout.exe
1212	timeout.exe
3036	timeout.exe
3032	timeout.exe
1500	timeout.exe
2080	timeout.exe
1064	timeout.exe
3044	timeout.exe
764	timeout.exe
2696	timeout.exe
2460	timeout.exe
2484	timeout.exe
2368	timeout.exe
2160	timeout.exe
1900	timeout.exe
2896	timeout.exe
1256	timeout.exe
1728	timeout.exe
612	timeout.exe
2292	timeout.exe
1924	timeout.exe
2084	timeout.exe
1684	timeout.exe
1348	timeout.exe
2284	timeout.exe
2124	timeout.exe
1592	timeout.exe
1776	timeout.exe
2840	timeout.exe
1636	timeout.exe
1640	timeout.exe
2456	timeout.exe
1508	timeout.exe
3036	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2216 schtasks.exe
2468 schtasks.exe
2104 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

GoogleUpdate.exe

pid process

2908 GoogleUpdate.exe

pid	process
2216	schtasks.exe
2468	schtasks.exe
2104	schtasks.exe

pid	process
2908	GoogleUpdate.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

SystemUser.exepowershell.exepowershell.exepowershell.exepowershell.exeGoogleUpdate.exeUpdate.exepowershell.exeupdater.exepowershell.exe

pid	process
2384	SystemUser.exe
2384	SystemUser.exe
2384	SystemUser.exe
3044	powershell.exe
3068	powershell.exe
1968	powershell.exe
1256	powershell.exe
2908	GoogleUpdate.exe
328	Update.exe
328	Update.exe
764	powershell.exe
328	Update.exe
328	Update.exe
1576	updater.exe
1576	updater.exe
1860	powershell.exe
1576	updater.exe
1576	updater.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

GoogleUpdate.exeSystemUser.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepowershell.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2908	GoogleUpdate.exe
Token: SeDebugPrivilege	2384	SystemUser.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	2908	GoogleUpdate.exe
Token: SeDebugPrivilege	408	tasklist.exe
Token: SeDebugPrivilege	1976	tasklist.exe
Token: SeDebugPrivilege	1144	tasklist.exe
Token: SeDebugPrivilege	2764	tasklist.exe
Token: SeDebugPrivilege	1552	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	2240	tasklist.exe
Token: SeDebugPrivilege	1908	tasklist.exe
Token: SeDebugPrivilege	2892	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	1000	tasklist.exe
Token: SeDebugPrivilege	1484	tasklist.exe
Token: SeDebugPrivilege	2876	tasklist.exe
Token: SeDebugPrivilege	1848	tasklist.exe
Token: SeDebugPrivilege	1708	tasklist.exe
Token: SeDebugPrivilege	2696	tasklist.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeDebugPrivilege	2452	tasklist.exe
Token: SeDebugPrivilege	1544	tasklist.exe
Token: SeDebugPrivilege	672	tasklist.exe
Token: SeDebugPrivilege	2756	tasklist.exe
Token: SeDebugPrivilege	552	tasklist.exe
Token: SeDebugPrivilege	1308	tasklist.exe
Token: SeDebugPrivilege	1888	tasklist.exe
Token: SeDebugPrivilege	912	tasklist.exe
Token: SeDebugPrivilege	2408	tasklist.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	2340	tasklist.exe
Token: SeDebugPrivilege	2480	tasklist.exe
Token: SeDebugPrivilege	2524	tasklist.exe
Token: SeDebugPrivilege	1356	tasklist.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeDebugPrivilege	2808	tasklist.exe
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	2828	tasklist.exe
Token: SeDebugPrivilege	2288	tasklist.exe
Token: SeDebugPrivilege	112	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeDebugPrivilege	2396	tasklist.exe
Token: SeDebugPrivilege	2292	tasklist.exe
Token: SeDebugPrivilege	2784	tasklist.exe
Token: SeDebugPrivilege	2768	tasklist.exe
Token: SeDebugPrivilege	792	tasklist.exe
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2368	tasklist.exe
Token: SeDebugPrivilege	492	tasklist.exe
Token: SeDebugPrivilege	1176	tasklist.exe
Token: SeDebugPrivilege	648	tasklist.exe
Token: SeDebugPrivilege	2608	tasklist.exe
Token: SeDebugPrivilege	2488	tasklist.exe
Token: SeDebugPrivilege	876	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GoogleUpdate.exe

pid process

2908 GoogleUpdate.exe

pid	process
2908	GoogleUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

crypted.exeGoogIeUpdate.exeGoogleUpdate.exeSystemUser.execmd.exe

description	pid	process	target process
PID 2812 wrote to memory of 1900	2812	crypted.exe	GoogIeUpdate.exe
PID 2812 wrote to memory of 1900	2812	crypted.exe	GoogIeUpdate.exe
PID 2812 wrote to memory of 1900	2812	crypted.exe	GoogIeUpdate.exe
PID 2812 wrote to memory of 1900	2812	crypted.exe	GoogIeUpdate.exe
PID 2812 wrote to memory of 2908	2812	crypted.exe	GoogleUpdate.exe
PID 2812 wrote to memory of 2908	2812	crypted.exe	GoogleUpdate.exe
PID 2812 wrote to memory of 2908	2812	crypted.exe	GoogleUpdate.exe
PID 2812 wrote to memory of 2908	2812	crypted.exe	GoogleUpdate.exe
PID 2812 wrote to memory of 2384	2812	crypted.exe	SystemUser.exe
PID 2812 wrote to memory of 2384	2812	crypted.exe	SystemUser.exe
PID 2812 wrote to memory of 2384	2812	crypted.exe	SystemUser.exe
PID 2812 wrote to memory of 2384	2812	crypted.exe	SystemUser.exe
PID 2812 wrote to memory of 328	2812	crypted.exe	Update.exe
PID 2812 wrote to memory of 328	2812	crypted.exe	Update.exe
PID 2812 wrote to memory of 328	2812	crypted.exe	Update.exe
PID 2812 wrote to memory of 328	2812	crypted.exe	Update.exe
PID 2812 wrote to memory of 340	2812	crypted.exe	WerFault.exe
PID 2812 wrote to memory of 340	2812	crypted.exe	WerFault.exe
PID 2812 wrote to memory of 340	2812	crypted.exe	WerFault.exe
PID 2812 wrote to memory of 340	2812	crypted.exe	WerFault.exe
PID 1900 wrote to memory of 2892	1900	GoogIeUpdate.exe	GoogIeUpdate.exe
PID 1900 wrote to memory of 2892	1900	GoogIeUpdate.exe	GoogIeUpdate.exe
PID 1900 wrote to memory of 2892	1900	GoogIeUpdate.exe	GoogIeUpdate.exe
PID 2908 wrote to memory of 3044	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 3044	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 3044	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 3068	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 3068	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 3068	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 1968	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 1968	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 1968	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 1256	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 1256	2908	GoogleUpdate.exe	powershell.exe
PID 2908 wrote to memory of 1256	2908	GoogleUpdate.exe	powershell.exe
PID 2384 wrote to memory of 1844	2384	SystemUser.exe	cmd.exe
PID 2384 wrote to memory of 1844	2384	SystemUser.exe	cmd.exe
PID 2384 wrote to memory of 1844	2384	SystemUser.exe	cmd.exe
PID 1844 wrote to memory of 2068	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 2068	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 2068	1844	cmd.exe	chcp.com
PID 1844 wrote to memory of 1940	1844	cmd.exe	tasklist.exe
PID 1844 wrote to memory of 1940	1844	cmd.exe	tasklist.exe
PID 1844 wrote to memory of 1940	1844	cmd.exe	tasklist.exe
PID 1844 wrote to memory of 2144	1844	cmd.exe	find.exe
PID 1844 wrote to memory of 2144	1844	cmd.exe	find.exe
PID 1844 wrote to memory of 2144	1844	cmd.exe	find.exe
PID 1844 wrote to memory of 2240	1844	cmd.exe	timeout.exe
PID 1844 wrote to memory of 2240	1844	cmd.exe	timeout.exe
PID 1844 wrote to memory of 2240	1844	cmd.exe	timeout.exe
PID 2908 wrote to memory of 2216	2908	GoogleUpdate.exe	schtasks.exe
PID 2908 wrote to memory of 2216	2908	GoogleUpdate.exe	schtasks.exe
PID 2908 wrote to memory of 2216	2908	GoogleUpdate.exe	schtasks.exe
PID 1844 wrote to memory of 408	1844	cmd.exe	tasklist.exe
PID 1844 wrote to memory of 408	1844	cmd.exe	tasklist.exe
PID 1844 wrote to memory of 408	1844	cmd.exe	tasklist.exe
PID 1844 wrote to memory of 2480	1844	cmd.exe	find.exe
PID 1844 wrote to memory of 2480	1844	cmd.exe	find.exe
PID 1844 wrote to memory of 2480	1844	cmd.exe	find.exe
PID 1844 wrote to memory of 1628	1844	cmd.exe	timeout.exe
PID 1844 wrote to memory of 1628	1844	cmd.exe	timeout.exe
PID 1844 wrote to memory of 1628	1844	cmd.exe	timeout.exe
PID 1844 wrote to memory of 1976	1844	cmd.exe	tasklist.exe
PID 1844 wrote to memory of 1976	1844	cmd.exe	tasklist.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1184
- C:\Users\Admin\AppData\Local\Temp\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe
    "C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe
      "C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2892
- - C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe
    "C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdate.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\systemuser'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemuser'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1256
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "systemuser" /tr "C:\Users\Admin\AppData\Roaming\systemuser"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2216
- - C:\Users\Admin\AppData\Roaming\SystemUser.exe
    "C:\Users\Admin\AppData\Roaming\SystemUser.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1DFC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1DFC.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2068
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2144
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2240
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1628
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1496
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:612
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1504
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:836
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2224
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2460
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:660
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3036
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:760
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3020
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3008
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2356
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:684
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2152
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:408
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2332
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2192
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1004
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:892
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1760
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2484
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2824
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2840
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2928
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2584
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2972
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:340
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2712
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1536
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2604
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3032
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1636
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1248
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2292
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2084
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2784
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2788
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2768
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1208
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:792
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2668
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2176
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2988
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2368
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2420
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2992
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:3044
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2520
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:648
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2136
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2608
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:324
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2488
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1976
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1500
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1620
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2464
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1924
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:604
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3020
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1464
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2148
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2104
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1640
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2836
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2080
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2252
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2816
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1708
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2712
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2696
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2948
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2056
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2780
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2376
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1544
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2132
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2084
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2284
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2788
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2900
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1208
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:532
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2668
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2748
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2988
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2932
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1968
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2992
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2160
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2136
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:996
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:324
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:840
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1976
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1552
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1684
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:1620
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2020
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2464
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:632
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:3020
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1900
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2148
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:408
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2200
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2192
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1928
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1840
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:700
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:832
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1000
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2060
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:884
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2896
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2824
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2836
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2852
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:1848
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:908
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2716
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:776
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1708
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:112
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2712
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2696
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2948
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2604
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2452
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2576
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2376
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1448
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2912
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:672
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:300
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1740
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:928
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1952
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2456
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2784
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2624
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2664
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2900
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1208
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2952
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:400
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1524
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1508
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2748
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2732
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2512
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2776
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1256
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:492
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3044
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2436
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2520
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:948
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:1628
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1532
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:3060
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:324
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2488
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:320
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2552
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1912
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:876
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1552
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1728
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2224
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2708
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:704
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1596
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1348
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2308
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1200
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:3036
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2892
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:564
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:764
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:1416
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2352
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2724
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2088
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2592
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2080
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1484
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1592
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2288
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2096
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2716
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2736
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1708
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:3048
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:112
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2696
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1608
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2604
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2780
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1064
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2956
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2132
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2796
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:1500
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1212
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:1952
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2760
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2284
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        
        PID:2624
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2768
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1776
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:1208
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2952
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:1524
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2144
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:572
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        
        PID:2728
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2548
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2932
    - - C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2124
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2384"
        5⤵
        Enumerates processes with tasklist
        
        PID:2432
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:2384
- - C:\Users\Admin\AppData\Roaming\Update.exe
    "C:\Users\Admin\AppData\Roaming\Update.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 928
    3⤵
    - Program crash
    PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2468
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineQC /tr 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2104
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1004

C:\Windows\system32\taskeng.exe
taskeng.exe {57D4BCAB-99F4-42D6-BFB6-B3D439596992} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1676
- C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Users\Admin\AppData\Roaming\systemuser
  C:\Users\Admin\AppData\Roaming\systemuser
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Users\Admin\AppData\Roaming\systemuser
  C:\Users\Admin\AppData\Roaming\systemuser
  2⤵
  - Executes dropped EXE
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19002\python312.dll

Filesize
6.6MB

MD5
b243d61f4248909bc721674d70a633de

SHA1
1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc

SHA256
93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7

SHA512
10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DFC.tmp.bat

Filesize
286B

MD5
197aa482e18265fad6de67db10eac23a

SHA1
a61a36839d358ca096d2c6cabb906e285bbfb90d

SHA256
54929ac8683d6a49f0d902a7b1e3da7645ccc55b95710ae8ca07b9093787306c

SHA512
8e7cfbd5e7d7697176a6468e327570e927e0abcd47e4e1ad20eedb7c3ae7f299eaeb1e4f16a4491c674ef8a1705f07a7dc2ed0a170c17ffe1206c2883d12eb49

Download Submit
C:\Users\Admin\AppData\Roaming\GoogIeUpdate.exe

Filesize
10.5MB

MD5
79d19e7b20c0a9f3ac172041dcf84c97

SHA1
2e8a9c7d1aac017c1fabae50677e5bedea55c16d

SHA256
6080208516fa0312f72202ff528cf3ae055fcec32049191c8b4043bdb52bf072

SHA512
1d3fa42566c332501300da43e462a68341f9fc5aa5328d1b57cbb947e9b3e3eaa86d3368f52e82e3294fff63dc53587fda070967fa9a533dc4f9497a71e72e35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8110431388798ea640def864df394d8e

SHA1
2c8b2786cbd20565a57cdbd076ca6140a28cf7cf

SHA256
134fd218fbd64d70deaaaa736ae306f7509485f701dcf8c24b2047677119eb82

SHA512
ec470a1ff7e75272f341a8df4937868115c8ec2e893559da75235ca09b4bd7538eb46225978cdf3c33eb288435567720bc364198c011c689cafadc8cfe1c4054

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe

Filesize
4.5MB

MD5
d62541056c52c0e1c88554fc7c58bd14

SHA1
4528261354cba0ef81a61ca2d7bc550fc5553f45

SHA256
6b02de0fe2eb386db9a8fcb66b29a1ffd6116a525d4b27afb45e274c0e0d8a90

SHA512
75c34e0a08bb06c2a8ca4418d8510e122c980a5da57cb8ffb24611020ef383d8abb05645f4564d137320afe78cecded3444d67896a4592943199c0244339ffc3

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
\Users\Admin\AppData\Roaming\GoogleUpdate.exe

Filesize
44KB

MD5
41f377b6179872f56267c7ecc450e068

SHA1
b3b31cae1c58ccb02f28c08d61c9713369d7b29f

SHA256
98e4a37dd2372325463f2db56d8a0963e068227df7c33f70029462e147f2cf85

SHA512
2182d76b3171553240af41238549f9dcb59f30f08eef77547358d06433431858423d9a626975137a8db65d9437711709a939648154ea49f0002ffb88f997067b

Download Submit
\Users\Admin\AppData\Roaming\SystemUser.exe

Filesize
5.6MB

MD5
0b0c16d5ce6cef9f530224a30e4a8a1e

SHA1
d7afbac2028ae91cefb55a1df08cafa8f8a4e595

SHA256
c0cfcdc584c81ebf99ac18c502e78ad0aee43a79fc49473e431de89a19985329

SHA512
62887cf0132c6642a17023fe5ab2cbc957318e39e9417ff4b716da91c69fc998c4427db22552293e5d493d6a9f286ffe56955756bfa8889fc7cbbd4bfc2b2229

Download Submit
memory/328-1016-0x000000013FBF0000-0x000000014006D000-memory.dmp

Filesize
4.5MB

Download
memory/328-1969-0x000000013FBF0000-0x000000014006D000-memory.dmp

Filesize
4.5MB

Download
memory/648-1995-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1004-1991-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1424-1978-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/1576-1990-0x000000013F7F0000-0x000000013FC6D000-memory.dmp

Filesize
4.5MB

Download
memory/1576-1973-0x000000013F7F0000-0x000000013FC6D000-memory.dmp

Filesize
4.5MB

Download
memory/2384-147-0x0000000000310000-0x00000000008B2000-memory.dmp

Filesize
5.6MB

Download
memory/2812-983-0x00000000026B0000-0x0000000003B60000-memory.dmp

Filesize
20.7MB

Download
memory/2812-7-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2812-6-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2812-4-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2812-5-0x000000000C8B0000-0x000000000DD5E000-memory.dmp

Filesize
20.7MB

Download
memory/2812-2-0x00000000026B0000-0x0000000003B60000-memory.dmp

Filesize
20.7MB

Download
memory/2812-3-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2812-0-0x00000000026B0000-0x0000000003B60000-memory.dmp

Filesize
20.7MB

Download
memory/2812-985-0x00000000011F0000-0x00000000026A9000-memory.dmp

Filesize
20.7MB

Download
memory/2812-986-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-131-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/3044-991-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/3044-992-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/3068-999-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/3068-998-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download