njrat | 61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6f

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Size

543KB
MD5

5f388982adba14242c5e4ffcc388c1a0
SHA1

8f202feb5a674362826c1e6d8fc5b1a38f86c14b
SHA256

61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6f
SHA512

7ad25e82b45e24d7f76bb9ec3a4ed8dbf497a5f87f1a0f3913d12cf2e1950b4981efe04a3b97b22053ac49e03c75e6fcb2dff2b4fb74f4be088e2f616355e3b4
SSDEEP

12288:2iMmalyw9qfcaF52WgAIsAxOfqV42Rqol0M0pMsRNQSJGmENwMpV:nMigAm3lTaQ

Score

10^/10

njrat victim discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Victim

kgb963.duckdns.org:1115

Mutex

svchost.exe

Attributes

reg_key
svchost.exe
splitter
|Ghost|

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\dllhost.exe"	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe\" .."	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe\" .."	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1472	schtasks.exe
3240	schtasks.exe
3604	schtasks.exe
2484	schtasks.exe
2476	schtasks.exe
4108	schtasks.exe
964	schtasks.exe
1504	schtasks.exe
2008	schtasks.exe
5008	schtasks.exe
2808	schtasks.exe
3768	schtasks.exe
1712	schtasks.exe
868	schtasks.exe
3332	schtasks.exe
4752	schtasks.exe
1536	schtasks.exe
440	schtasks.exe
2124	schtasks.exe
632	schtasks.exe
2360	schtasks.exe
3992	schtasks.exe
4020	schtasks.exe
2848	schtasks.exe
2264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeDebugPrivilege	1912	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeDebugPrivilege	440	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: 33	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
Token: SeIncBasePriorityPrivilege	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3608	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	82
PID 4544 wrote to memory of 3608	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	82
PID 4544 wrote to memory of 3608	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	82
PID 4544 wrote to memory of 2484	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	84
PID 4544 wrote to memory of 2484	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	84
PID 4544 wrote to memory of 2484	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	84
PID 4544 wrote to memory of 4972	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	87
PID 4544 wrote to memory of 4972	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	87
PID 4544 wrote to memory of 4972	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	87
PID 4544 wrote to memory of 1536	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	89
PID 4544 wrote to memory of 1536	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	89
PID 4544 wrote to memory of 1536	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	89
PID 4544 wrote to memory of 4108	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	95
PID 4544 wrote to memory of 4108	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	95
PID 4544 wrote to memory of 4108	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	95
PID 4544 wrote to memory of 1472	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	97
PID 4544 wrote to memory of 1472	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	97
PID 4544 wrote to memory of 1472	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	97
PID 4544 wrote to memory of 4608	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	102
PID 4544 wrote to memory of 4608	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	102
PID 4544 wrote to memory of 4608	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	102
PID 4544 wrote to memory of 3240	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	104
PID 4544 wrote to memory of 3240	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	104
PID 4544 wrote to memory of 3240	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	104
PID 4544 wrote to memory of 1872	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	106
PID 4544 wrote to memory of 1872	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	106
PID 4544 wrote to memory of 1872	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	106
PID 4544 wrote to memory of 440	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	108
PID 4544 wrote to memory of 440	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	108
PID 4544 wrote to memory of 440	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	108
PID 4544 wrote to memory of 1324	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	111
PID 4544 wrote to memory of 1324	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	111
PID 4544 wrote to memory of 1324	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	111
PID 4544 wrote to memory of 2476	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	113
PID 4544 wrote to memory of 2476	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	113
PID 4544 wrote to memory of 2476	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	113
PID 4544 wrote to memory of 3792	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	116
PID 4544 wrote to memory of 3792	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	116
PID 4544 wrote to memory of 3792	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	116
PID 4544 wrote to memory of 2124	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	118
PID 4544 wrote to memory of 2124	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	118
PID 4544 wrote to memory of 2124	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	118
PID 4544 wrote to memory of 4612	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	120
PID 4544 wrote to memory of 4612	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	120
PID 4544 wrote to memory of 4612	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	120
PID 4544 wrote to memory of 632	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	122
PID 4544 wrote to memory of 632	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	122
PID 4544 wrote to memory of 632	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	122
PID 4544 wrote to memory of 3568	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	124
PID 4544 wrote to memory of 3568	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	124
PID 4544 wrote to memory of 3568	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	124
PID 4544 wrote to memory of 3604	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	126
PID 4544 wrote to memory of 3604	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	126
PID 4544 wrote to memory of 3604	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	126
PID 4544 wrote to memory of 3768	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	128
PID 4544 wrote to memory of 3768	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	128
PID 4544 wrote to memory of 3768	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	128
PID 4544 wrote to memory of 3332	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	130
PID 4544 wrote to memory of 3332	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	130
PID 4544 wrote to memory of 3332	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	130
PID 4544 wrote to memory of 3032	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	132
PID 4544 wrote to memory of 3032	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	132
PID 4544 wrote to memory of 3032	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	132
PID 4544 wrote to memory of 2360	4544	61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe	134

C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
"C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1536
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:440
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1324
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2476
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3792
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2124
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4612
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3604
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:964
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4192
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3992
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:656
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5008
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3672
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4752
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1712
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2848
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2264
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn "ChromeUpdate" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn "ChromeUpdate" /tr C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:868

C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
C:\Users\Admin\AppData\Local\Temp\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6fN.exe.log

Filesize
418B

MD5
50045c5c59ae3eb2db5452fb39e13335

SHA1
56226b40d4458df7e92f802381401e4183c97cb2

SHA256
b90b2a4ba2c69f094edce48807ad1873b1265c83795139fbf4576697fe65cae9

SHA512
bb20f9389e69e4a17fa254bd3b77212797f3be159ec6129b3a1501db3e24fb7b12096fbdbfcc93c24ecdb3cea88eae8a58e279b39c0777b6a4e9d4c15057faa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\dllhost.exe

Filesize
543KB

MD5
5f388982adba14242c5e4ffcc388c1a0

SHA1
8f202feb5a674362826c1e6d8fc5b1a38f86c14b

SHA256
61178fb2ef06748bddd20caddf6c63b8e591d0658b3cb29b901e655169411e6f

SHA512
7ad25e82b45e24d7f76bb9ec3a4ed8dbf497a5f87f1a0f3913d12cf2e1950b4981efe04a3b97b22053ac49e03c75e6fcb2dff2b4fb74f4be088e2f616355e3b4

Download Submit
memory/1912-20-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/1912-16-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/1912-15-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4544-11-0x0000000005E20000-0x0000000005E2A000-memory.dmp

Filesize
40KB

Download
memory/4544-0-0x000000007535E000-0x000000007535F000-memory.dmp

Filesize
4KB

Download
memory/4544-10-0x0000000005E70000-0x0000000005F02000-memory.dmp

Filesize
584KB

Download
memory/4544-13-0x000000007535E000-0x000000007535F000-memory.dmp

Filesize
4KB

Download
memory/4544-14-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4544-6-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/4544-3-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4544-2-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

Filesize
624KB

Download
memory/4544-1-0x0000000000430000-0x00000000004BE000-memory.dmp

Filesize
568KB

Download