asyncrat | a6b4d63cfb361f2bbc15e1bb8861b183227f817d3a67fe5ab2b001a1e6011380

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	chrome.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	chrome.exe

VenomRAT 3 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d07-16.dat	VenomRAT
behavioral1/memory/2736-27-0x0000000001310000-0x0000000001344000-memory.dmp	VenomRAT
behavioral1/memory/1000-199-0x00000000012C0000-0x00000000012F4000-memory.dmp	VenomRAT

Venomrat family
venomrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000015cfd-12.dat	family_asyncrat
behavioral1/files/0x0008000000015d07-16.dat	family_asyncrat
behavioral1/files/0x00070000000191fd-329.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
308	powershell.exe
2028	powershell.exe
1628	powershell.exe
2000	powershell.exe
1960	powershell.exe
956	powershell.exe
2528	powershell.exe
1944	powershell.exe
3004	powershell.exe
2792	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	chrome1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	chrome1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	chrome2.exe

Executes dropped EXE 13 IoCs

pid	Process
2552	G160.exe
2704	chrome.exe
2736	chrome vecom.exe
2812	chrome2.exe
2556	chrome1.exe
1000	svh.exe
2780	dcbqbe.exe
2148	lvastx.exe
1704	Defender.exe
2280	vnjist.exe
2988	razxwz.exe
1192	chrome.exe
2376	chrome.exe

Loads dropped DLL 4 IoCs

pid	Process
2760	04e428b8cc919452e07cae9081618efc.exe
1012	cmd.exe
1704	Defender.exe
1704	Defender.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	chrome.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\ProgramData\\chrome.exe"	chrome1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Local\\chrome.exe"	chrome2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2552	G160.exe
2552	G160.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	G160.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lvastx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2344	timeout.exe
2988	timeout.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\	rundll32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2984	schtasks.exe
1772	schtasks.exe
2628	schtasks.exe
2056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	G160.exe
2704	chrome.exe
2736	chrome vecom.exe
2736	chrome vecom.exe
2736	chrome vecom.exe
2736	chrome vecom.exe
2736	chrome vecom.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
1960	powershell.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
956	powershell.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2528	powershell.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
1944	powershell.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	chrome2.exe
Token: SeDebugPrivilege	2556	chrome1.exe
Token: SeDebugPrivilege	2736	chrome vecom.exe
Token: SeDebugPrivilege	2704	chrome.exe
Token: SeDebugPrivilege	2736	chrome vecom.exe
Token: SeDebugPrivilege	2704	chrome.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1000	svh.exe
Token: SeDebugPrivilege	2556	chrome1.exe
Token: SeDebugPrivilege	1000	svh.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2812	chrome2.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2780	dcbqbe.exe
Token: SeDebugPrivilege	2148	lvastx.exe
Token: SeDebugPrivilege	1704	Defender.exe
Token: SeDebugPrivilege	1704	Defender.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2280	vnjist.exe
Token: SeDebugPrivilege	2988	razxwz.exe
Token: SeDebugPrivilege	1192	chrome.exe
Token: SeDebugPrivilege	2376	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2556	chrome1.exe
1000	svh.exe
2812	chrome2.exe
1440	AcroRd32.exe
1440	AcroRd32.exe
1704	Defender.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2552	2760	04e428b8cc919452e07cae9081618efc.exe	31
PID 2760 wrote to memory of 2552	2760	04e428b8cc919452e07cae9081618efc.exe	31
PID 2760 wrote to memory of 2552	2760	04e428b8cc919452e07cae9081618efc.exe	31
PID 2760 wrote to memory of 2704	2760	04e428b8cc919452e07cae9081618efc.exe	32
PID 2760 wrote to memory of 2704	2760	04e428b8cc919452e07cae9081618efc.exe	32
PID 2760 wrote to memory of 2704	2760	04e428b8cc919452e07cae9081618efc.exe	32
PID 2760 wrote to memory of 2736	2760	04e428b8cc919452e07cae9081618efc.exe	33
PID 2760 wrote to memory of 2736	2760	04e428b8cc919452e07cae9081618efc.exe	33
PID 2760 wrote to memory of 2736	2760	04e428b8cc919452e07cae9081618efc.exe	33
PID 2760 wrote to memory of 2812	2760	04e428b8cc919452e07cae9081618efc.exe	34
PID 2760 wrote to memory of 2812	2760	04e428b8cc919452e07cae9081618efc.exe	34
PID 2760 wrote to memory of 2812	2760	04e428b8cc919452e07cae9081618efc.exe	34
PID 2760 wrote to memory of 2556	2760	04e428b8cc919452e07cae9081618efc.exe	35
PID 2760 wrote to memory of 2556	2760	04e428b8cc919452e07cae9081618efc.exe	35
PID 2760 wrote to memory of 2556	2760	04e428b8cc919452e07cae9081618efc.exe	35
PID 2736 wrote to memory of 472	2736	chrome vecom.exe	36
PID 2736 wrote to memory of 472	2736	chrome vecom.exe	36
PID 2736 wrote to memory of 472	2736	chrome vecom.exe	36
PID 2736 wrote to memory of 2868	2736	chrome vecom.exe	38
PID 2736 wrote to memory of 2868	2736	chrome vecom.exe	38
PID 2736 wrote to memory of 2868	2736	chrome vecom.exe	38
PID 472 wrote to memory of 2984	472	cmd.exe	40
PID 472 wrote to memory of 2984	472	cmd.exe	40
PID 472 wrote to memory of 2984	472	cmd.exe	40
PID 2868 wrote to memory of 2988	2868	cmd.exe	41
PID 2868 wrote to memory of 2988	2868	cmd.exe	41
PID 2868 wrote to memory of 2988	2868	cmd.exe	41
PID 2556 wrote to memory of 1960	2556	chrome1.exe	42
PID 2556 wrote to memory of 1960	2556	chrome1.exe	42
PID 2556 wrote to memory of 1960	2556	chrome1.exe	42
PID 2556 wrote to memory of 956	2556	chrome1.exe	44
PID 2556 wrote to memory of 956	2556	chrome1.exe	44
PID 2556 wrote to memory of 956	2556	chrome1.exe	44
PID 2556 wrote to memory of 2528	2556	chrome1.exe	46
PID 2556 wrote to memory of 2528	2556	chrome1.exe	46
PID 2556 wrote to memory of 2528	2556	chrome1.exe	46
PID 2556 wrote to memory of 1944	2556	chrome1.exe	48
PID 2556 wrote to memory of 1944	2556	chrome1.exe	48
PID 2556 wrote to memory of 1944	2556	chrome1.exe	48
PID 2868 wrote to memory of 1000	2868	cmd.exe	50
PID 2868 wrote to memory of 1000	2868	cmd.exe	50
PID 2868 wrote to memory of 1000	2868	cmd.exe	50
PID 2556 wrote to memory of 1772	2556	chrome1.exe	51
PID 2556 wrote to memory of 1772	2556	chrome1.exe	51
PID 2556 wrote to memory of 1772	2556	chrome1.exe	51
PID 2704 wrote to memory of 1444	2704	chrome.exe	54
PID 2704 wrote to memory of 1444	2704	chrome.exe	54
PID 2704 wrote to memory of 1444	2704	chrome.exe	54
PID 1444 wrote to memory of 3004	1444	cmd.exe	56
PID 1444 wrote to memory of 3004	1444	cmd.exe	56
PID 1444 wrote to memory of 3004	1444	cmd.exe	56
PID 3004 wrote to memory of 352	3004	powershell.exe	57
PID 3004 wrote to memory of 352	3004	powershell.exe	57
PID 3004 wrote to memory of 352	3004	powershell.exe	57
PID 2812 wrote to memory of 308	2812	chrome2.exe	58
PID 2812 wrote to memory of 308	2812	chrome2.exe	58
PID 2812 wrote to memory of 308	2812	chrome2.exe	58
PID 2812 wrote to memory of 2028	2812	chrome2.exe	60
PID 2812 wrote to memory of 2028	2812	chrome2.exe	60
PID 2812 wrote to memory of 2028	2812	chrome2.exe	60
PID 2812 wrote to memory of 1628	2812	chrome2.exe	62
PID 2812 wrote to memory of 1628	2812	chrome2.exe	62
PID 2812 wrote to memory of 1628	2812	chrome2.exe	62
PID 2812 wrote to memory of 2000	2812	chrome2.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04e428b8cc919452e07cae9081618efc.exe
"C:\Users\Admin\AppData\Local\Temp\04e428b8cc919452e07cae9081618efc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Roaming\G160.exe
  "C:\Users\Admin\AppData\Roaming\G160.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\stydin"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\stydin"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\stydin
        5⤵
        Modifies registry class
        
        PID:352
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\stydin"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1440
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ecmwck"' & exit
    3⤵
    PID:1960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ecmwck"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2792
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ecmwck
        5⤵
        Modifies registry class
        
        PID:2920
      - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ecmwck"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- C:\Users\Admin\AppData\Roaming\chrome vecom.exe
  "C:\Users\Admin\AppData\Roaming\chrome vecom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svh" /tr '"C:\Users\Admin\AppData\Roaming\svh.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svh" /tr '"C:\Users\Admin\AppData\Roaming\svh.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2984
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF882.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2988
  - - C:\Users\Admin\AppData\Roaming\svh.exe
      "C:\Users\Admin\AppData\Roaming\svh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1000
- C:\Users\Admin\AppData\Roaming\chrome2.exe
  "C:\Users\Admin\AppData\Roaming\chrome2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chrome2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "chrome" /tr "C:\Users\Admin\AppData\Local\chrome.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2628
- - C:\Users\Admin\AppData\Local\Temp\dcbqbe.exe
    "C:\Users\Admin\AppData\Local\Temp\dcbqbe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\lvastx.exe
    "C:\Users\Admin\AppData\Local\Temp\lvastx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender" /tr '"C:\Users\Admin\AppData\Roaming\Defender.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Defender" /tr '"C:\Users\Admin\AppData\Roaming\Defender.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp671C.tmp.bat""
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1012
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2344
    - - C:\Users\Admin\AppData\Roaming\Defender.exe
        
        "C:\Users\Admin\AppData\Roaming\Defender.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\vnjist.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vnjist.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
      - C:\Users\Admin\AppData\Local\Temp\razxwz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\razxwz.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
- C:\Users\Admin\AppData\Roaming\chrome1.exe
  "C:\Users\Admin\AppData\Roaming\chrome1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chrome1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "chrome" /tr "C:\ProgramData\chrome.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {D478002C-D25A-4C95-8400-190AA06F23C0} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
PID:1656
- C:\Users\Admin\AppData\Local\chrome.exe
  C:\Users\Admin\AppData\Local\chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Users\Admin\AppData\Local\chrome.exe
  C:\Users\Admin\AppData\Local\chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry