njrat | 5cf0d331c890274f77c18eb8a90d911a50f452515371abbe47863413fac0838a

System Information Discovery

persistence privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	injection.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 6 IoCs

pid	Process
2676	SearchApp.exe
1752	XClient.exe
4292	Server.exe
2640	1.exe
3876	XClient.exe
4932	XClient.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cebbc17108ba69818fc4a0b0ed3bb871 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe\" .."	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cebbc17108ba69818fc4a0b0ed3bb871 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe\" .."	1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1956	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806762190947297"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
976	powershell.exe
976	powershell.exe
3724	powershell.exe
3724	powershell.exe
3372	powershell.exe
3372	powershell.exe
4684	powershell.exe
4684	powershell.exe
300	powershell.exe
300	powershell.exe
816	powershell.exe
816	powershell.exe
1752	XClient.exe
2084	chrome.exe
2084	chrome.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	injection.exe
Token: SeBackupPrivilege	636	vssvc.exe
Token: SeRestorePrivilege	636	vssvc.exe
Token: SeAuditPrivilege	636	vssvc.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeIncreaseQuotaPrivilege	976	powershell.exe
Token: SeSecurityPrivilege	976	powershell.exe
Token: SeTakeOwnershipPrivilege	976	powershell.exe
Token: SeLoadDriverPrivilege	976	powershell.exe
Token: SeSystemProfilePrivilege	976	powershell.exe
Token: SeSystemtimePrivilege	976	powershell.exe
Token: SeProfSingleProcessPrivilege	976	powershell.exe
Token: SeIncBasePriorityPrivilege	976	powershell.exe
Token: SeCreatePagefilePrivilege	976	powershell.exe
Token: SeBackupPrivilege	976	powershell.exe
Token: SeRestorePrivilege	976	powershell.exe
Token: SeShutdownPrivilege	976	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeSystemEnvironmentPrivilege	976	powershell.exe
Token: SeRemoteShutdownPrivilege	976	powershell.exe
Token: SeUndockPrivilege	976	powershell.exe
Token: SeManageVolumePrivilege	976	powershell.exe
Token: 33	976	powershell.exe
Token: 34	976	powershell.exe
Token: 35	976	powershell.exe
Token: 36	976	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeIncreaseQuotaPrivilege	3724	powershell.exe
Token: SeSecurityPrivilege	3724	powershell.exe
Token: SeTakeOwnershipPrivilege	3724	powershell.exe
Token: SeLoadDriverPrivilege	3724	powershell.exe
Token: SeSystemProfilePrivilege	3724	powershell.exe
Token: SeSystemtimePrivilege	3724	powershell.exe
Token: SeProfSingleProcessPrivilege	3724	powershell.exe
Token: SeIncBasePriorityPrivilege	3724	powershell.exe
Token: SeCreatePagefilePrivilege	3724	powershell.exe
Token: SeBackupPrivilege	3724	powershell.exe
Token: SeRestorePrivilege	3724	powershell.exe
Token: SeShutdownPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeSystemEnvironmentPrivilege	3724	powershell.exe
Token: SeRemoteShutdownPrivilege	3724	powershell.exe
Token: SeUndockPrivilege	3724	powershell.exe
Token: SeManageVolumePrivilege	3724	powershell.exe
Token: 33	3724	powershell.exe
Token: 34	3724	powershell.exe
Token: 35	3724	powershell.exe
Token: 36	3724	powershell.exe
Token: SeDebugPrivilege	2676	SearchApp.exe
Token: SeDebugPrivilege	2676	SearchApp.exe
Token: SeDebugPrivilege	1752	XClient.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3372	powershell.exe
Token: SeSecurityPrivilege	3372	powershell.exe
Token: SeTakeOwnershipPrivilege	3372	powershell.exe
Token: SeLoadDriverPrivilege	3372	powershell.exe
Token: SeSystemProfilePrivilege	3372	powershell.exe
Token: SeSystemtimePrivilege	3372	powershell.exe
Token: SeProfSingleProcessPrivilege	3372	powershell.exe
Token: SeIncBasePriorityPrivilege	3372	powershell.exe
Token: SeCreatePagefilePrivilege	3372	powershell.exe
Token: SeBackupPrivilege	3372	powershell.exe
Token: SeRestorePrivilege	3372	powershell.exe
Token: SeShutdownPrivilege	3372	powershell.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe
5728	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 976	4112	injection.exe	84
PID 4112 wrote to memory of 976	4112	injection.exe	84
PID 4112 wrote to memory of 3724	4112	injection.exe	87
PID 4112 wrote to memory of 3724	4112	injection.exe	87
PID 4112 wrote to memory of 4800	4112	injection.exe	91
PID 4112 wrote to memory of 4800	4112	injection.exe	91
PID 4800 wrote to memory of 1956	4800	cmd.exe	93
PID 4800 wrote to memory of 1956	4800	cmd.exe	93
PID 2676 wrote to memory of 1752	2676	SearchApp.exe	94
PID 2676 wrote to memory of 1752	2676	SearchApp.exe	94
PID 2676 wrote to memory of 4292	2676	SearchApp.exe	95
PID 2676 wrote to memory of 4292	2676	SearchApp.exe	95
PID 2676 wrote to memory of 4292	2676	SearchApp.exe	95
PID 1752 wrote to memory of 3372	1752	XClient.exe	98
PID 1752 wrote to memory of 3372	1752	XClient.exe	98
PID 1752 wrote to memory of 4684	1752	XClient.exe	100
PID 1752 wrote to memory of 4684	1752	XClient.exe	100
PID 1752 wrote to memory of 300	1752	XClient.exe	103
PID 1752 wrote to memory of 300	1752	XClient.exe	103
PID 1752 wrote to memory of 816	1752	XClient.exe	105
PID 1752 wrote to memory of 816	1752	XClient.exe	105
PID 4292 wrote to memory of 2640	4292	Server.exe	107
PID 4292 wrote to memory of 2640	4292	Server.exe	107
PID 4292 wrote to memory of 2640	4292	Server.exe	107
PID 1752 wrote to memory of 828	1752	XClient.exe	109
PID 1752 wrote to memory of 828	1752	XClient.exe	109
PID 2640 wrote to memory of 2432	2640	1.exe	114
PID 2640 wrote to memory of 2432	2640	1.exe	114
PID 2640 wrote to memory of 2432	2640	1.exe	114
PID 2084 wrote to memory of 1496	2084	chrome.exe	120
PID 2084 wrote to memory of 1496	2084	chrome.exe	120
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4280	2084	chrome.exe	121
PID 2084 wrote to memory of 4544	2084	chrome.exe	122
PID 2084 wrote to memory of 4544	2084	chrome.exe	122
PID 2084 wrote to memory of 5084	2084	chrome.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\injection.exe
"C:\Users\Admin\AppData\Local\Temp\injection.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A8A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Roaming\SearchApp.exe
"C:\Users\Admin\AppData\Roaming\SearchApp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:816
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:828
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1.exe" "1.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2432

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
1⤵
- Executes dropped EXE
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9fb17cc40,0x7ff9fb17cc4c,0x7ff9fb17cc58
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2064,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1792,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1628 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5600,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5620,i,7286792255822232571,6905122098369643129,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5756 /prefetch:2
  2⤵
  PID:5420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:788

C:\Users\Admin\AppData\Roaming\XClient.exe
"C:\Users\Admin\AppData\Roaming\XClient.exe"
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5472

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5608

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery