Analysis
-
max time kernel
173s -
max time network
263s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2023, 20:34
Static task
static1
Behavioral task
behavioral1
Sample
RSS-Automatic.bat
Resource
win10v2004-20231020-en
General
-
Target
RSS-Automatic.bat
-
Size
59KB
-
MD5
bcbf0323a696a543284529e0d7b960a1
-
SHA1
f633a0b3451f8f5d341ea020e6db38bf0a1bd1a4
-
SHA256
ef6c8a51411f35865be131eeaca7a88f3c92c2ffcc2c252e2add253fa1c69323
-
SHA512
2d0b7fbefe70ffd879b8c20deeb69392b452e831f293e5746cb14d7676baaa9f000daab35b4e37809e891c766b1d97737920f93d83de319109d03af2e5f469d9
-
SSDEEP
768:aUG6gMeILenoN3iY6wMPd8AJJeydBTsEswLOqzZHdVf+lPy2u8:DGhIBCJeyvTsuTd+9yS
Malware Config
Signatures
-
Enumerates processes with tasklist 1 TTPs 16 IoCs
pid Process 4992 tasklist.exe 4552 tasklist.exe 3236 tasklist.exe 3052 tasklist.exe 4696 tasklist.exe 2280 tasklist.exe 4388 tasklist.exe 3672 tasklist.exe 1156 tasklist.exe 3752 tasklist.exe 4036 tasklist.exe 876 tasklist.exe 1444 tasklist.exe 1724 tasklist.exe 1708 tasklist.exe 4504 tasklist.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings powershell.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3764 PING.EXE 4704 PING.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 4280 powershell.exe 4280 powershell.exe 4880 powershell.exe 4880 powershell.exe 4308 powershell.exe 4308 powershell.exe 1996 powershell.exe 1996 powershell.exe 3992 powershell.exe 3992 powershell.exe 3992 powershell.exe 1684 powershell.exe 1684 powershell.exe 1684 powershell.exe 1916 powershell.exe 1916 powershell.exe 1916 powershell.exe 4756 powershell.exe 4756 powershell.exe 4756 powershell.exe 3596 powershell.exe 3596 powershell.exe 1860 powershell.exe 1860 powershell.exe 1584 powershell.exe 1584 powershell.exe 2736 powershell.exe 2736 powershell.exe 2736 powershell.exe 4076 powershell.exe 4076 powershell.exe 4076 powershell.exe 3128 powershell.exe 3128 powershell.exe 3128 powershell.exe 2404 powershell.exe 2404 powershell.exe 2404 powershell.exe 804 powershell.exe 804 powershell.exe 804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 1724 tasklist.exe Token: SeDebugPrivilege 1156 tasklist.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 1708 tasklist.exe Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 3052 tasklist.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 4992 tasklist.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 4504 tasklist.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 4552 tasklist.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 3752 tasklist.exe Token: SeDebugPrivilege 4756 powershell.exe Token: SeDebugPrivilege 3596 powershell.exe Token: SeDebugPrivilege 3236 tasklist.exe Token: SeDebugPrivilege 4036 tasklist.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 4696 tasklist.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeDebugPrivilege 2280 tasklist.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 4388 tasklist.exe Token: SeDebugPrivilege 4076 powershell.exe Token: SeDebugPrivilege 876 tasklist.exe Token: SeDebugPrivilege 3128 powershell.exe Token: SeDebugPrivilege 1444 tasklist.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 3672 tasklist.exe Token: SeDebugPrivilege 804 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4280 4492 cmd.exe 84 PID 4492 wrote to memory of 4280 4492 cmd.exe 84 PID 4280 wrote to memory of 3880 4280 powershell.exe 85 PID 4280 wrote to memory of 3880 4280 powershell.exe 85 PID 3880 wrote to memory of 2180 3880 cmd.exe 88 PID 3880 wrote to memory of 2180 3880 cmd.exe 88 PID 3880 wrote to memory of 1724 3880 cmd.exe 89 PID 3880 wrote to memory of 1724 3880 cmd.exe 89 PID 3880 wrote to memory of 3112 3880 cmd.exe 90 PID 3880 wrote to memory of 3112 3880 cmd.exe 90 PID 3880 wrote to memory of 4704 3880 cmd.exe 92 PID 3880 wrote to memory of 4704 3880 cmd.exe 92 PID 3880 wrote to memory of 4048 3880 cmd.exe 106 PID 3880 wrote to memory of 4048 3880 cmd.exe 106 PID 3880 wrote to memory of 1860 3880 cmd.exe 107 PID 3880 wrote to memory of 1860 3880 cmd.exe 107 PID 3880 wrote to memory of 1640 3880 cmd.exe 108 PID 3880 wrote to memory of 1640 3880 cmd.exe 108 PID 3880 wrote to memory of 1984 3880 cmd.exe 109 PID 3880 wrote to memory of 1984 3880 cmd.exe 109 PID 1984 wrote to memory of 1156 1984 cmd.exe 110 PID 1984 wrote to memory of 1156 1984 cmd.exe 110 PID 1984 wrote to memory of 224 1984 cmd.exe 111 PID 1984 wrote to memory of 224 1984 cmd.exe 111 PID 3880 wrote to memory of 4880 3880 cmd.exe 112 PID 3880 wrote to memory of 4880 3880 cmd.exe 112 PID 3880 wrote to memory of 4668 3880 cmd.exe 113 PID 3880 wrote to memory of 4668 3880 cmd.exe 113 PID 4668 wrote to memory of 1708 4668 cmd.exe 114 PID 4668 wrote to memory of 1708 4668 cmd.exe 114 PID 4668 wrote to memory of 2180 4668 cmd.exe 115 PID 4668 wrote to memory of 2180 4668 cmd.exe 115 PID 3880 wrote to memory of 4308 3880 cmd.exe 116 PID 3880 wrote to memory of 4308 3880 cmd.exe 116 PID 3880 wrote to memory of 3540 3880 cmd.exe 117 PID 3880 wrote to memory of 3540 3880 cmd.exe 117 PID 3540 wrote to memory of 3052 3540 cmd.exe 118 PID 3540 wrote to memory of 3052 3540 cmd.exe 118 PID 3540 wrote to memory of 868 3540 cmd.exe 119 PID 3540 wrote to memory of 868 3540 cmd.exe 119 PID 3880 wrote to memory of 1996 3880 cmd.exe 120 PID 3880 wrote to memory of 1996 3880 cmd.exe 120 PID 3880 wrote to memory of 2788 3880 cmd.exe 121 PID 3880 wrote to memory of 2788 3880 cmd.exe 121 PID 2788 wrote to memory of 4992 2788 cmd.exe 123 PID 2788 wrote to memory of 4992 2788 cmd.exe 123 PID 2788 wrote to memory of 4772 2788 cmd.exe 122 PID 2788 wrote to memory of 4772 2788 cmd.exe 122 PID 3880 wrote to memory of 3992 3880 cmd.exe 124 PID 3880 wrote to memory of 3992 3880 cmd.exe 124 PID 3880 wrote to memory of 3560 3880 cmd.exe 125 PID 3880 wrote to memory of 3560 3880 cmd.exe 125 PID 3560 wrote to memory of 4504 3560 cmd.exe 126 PID 3560 wrote to memory of 4504 3560 cmd.exe 126 PID 3560 wrote to memory of 3552 3560 cmd.exe 127 PID 3560 wrote to memory of 3552 3560 cmd.exe 127 PID 3880 wrote to memory of 1684 3880 cmd.exe 128 PID 3880 wrote to memory of 1684 3880 cmd.exe 128 PID 3880 wrote to memory of 1408 3880 cmd.exe 129 PID 3880 wrote to memory of 1408 3880 cmd.exe 129 PID 1408 wrote to memory of 4552 1408 cmd.exe 130 PID 1408 wrote to memory of 4552 1408 cmd.exe 130 PID 1408 wrote to memory of 2032 1408 cmd.exe 131 PID 1408 wrote to memory of 2032 1408 cmd.exe 131
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start -verb runas 'C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat' am_admin2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat" am_admin3⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2180
-
-
C:\Windows\system32\tasklist.exetasklist /fi "ImageName eq Javaw.exe" /fo csv4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
C:\Windows\system32\find.exefind /I "Javaw"4⤵PID:3112
-
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- Runs ping.exe
PID:4704
-
-
C:\Windows\system32\curl.execurl -o "C:\Users\Admin\AppData\Roaming\SS\AutomaticTools\Paladin.exe" "https://dl.paladin.ac"4⤵PID:4048
-
-
C:\Windows\system32\chcp.comchcp 8504⤵PID:1860
-
-
C:\Windows\system32\fsutil.exefsutil dirty query C:4⤵PID:1640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq dps" /fi "services eq dps" | findstr /i "svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq dps" /fi "services eq dps"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:224
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$result = 'Process Not Running: DPS'; Write-Host $result4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain" | findstr /i "svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:2180
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$result = 'Process Not Running: Sysmain'; Write-Host $result4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc" | findstr /i "svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:868
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$result = 'Process Not Running: PcaSvc'; Write-Host $result4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc" | findstr /i "svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:4772
-
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1904}; if ($process) { $result = 'Process Name: Dusmsvc ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog" | findstr /i "svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:3552
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1300}; if ($process) { $result = 'Process Name: Eventlog ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo" | findstr /i "svchost.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:2032
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 3108}; if ($process) { $result = 'Process Name: Appinfo ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch" | findstr /i "svchost.exe"4⤵PID:4688
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:3576
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 796}; if ($process) { $result = 'Process Name: BAM ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat" "1⤵PID:3740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell start -verb runas '"C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat"' am_admin2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RSS-Automatic.bat" am_admin3⤵PID:4204
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:2900
-
-
C:\Windows\system32\tasklist.exetasklist /fi "ImageName eq Javaw.exe" /fo csv4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Windows\system32\find.exefind /I "Javaw"4⤵PID:4236
-
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- Runs ping.exe
PID:3764
-
-
C:\Windows\system32\chcp.comchcp 8504⤵PID:4312
-
-
C:\Windows\system32\fsutil.exefsutil dirty query C:4⤵PID:2220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq dps" /fi "services eq dps" | findstr /i "svchost.exe"4⤵PID:2420
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq dps" /fi "services eq dps"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:3956
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$result = 'Process Not Running: DPS'; Write-Host $result4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain" | findstr /i "svchost.exe"4⤵PID:3716
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Sysmain" /fi "services eq Sysmain"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4696
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:2852
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$result = 'Process Not Running: Sysmain'; Write-Host $result4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc" | findstr /i "svchost.exe"4⤵PID:3288
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq PcaSvc" /fi "services eq PcaSvc"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:4484
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 2476}; if ($process) { $result = 'Process Name: PcaSvc ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc" | findstr /i "svchost.exe"4⤵PID:2604
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Dusmsvc" /fi "services eq Dusmsvc"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:4840
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1904}; if ($process) { $result = 'Process Name: Dusmsvc ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog" | findstr /i "svchost.exe"4⤵PID:3116
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Eventlog" /fi "services eq Eventlog"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:3840
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 1300}; if ($process) { $result = 'Process Name: Eventlog ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo" | findstr /i "svchost.exe"4⤵PID:3492
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq Appinfo" /fi "services eq Appinfo"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1444
-
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:1464
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 3108}; if ($process) { $result = 'Process Name: Appinfo ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch" | findstr /i "svchost.exe"4⤵PID:4236
-
C:\Windows\system32\findstr.exefindstr /i "svchost.exe"5⤵PID:3088
-
-
C:\Windows\system32\tasklist.exetasklist /svc /fi "services eq DcomLaunch" /fi "services eq DcomLaunch"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$process = Get-Process | Where-Object {$_.Id -eq 796}; if ($process) { $result = 'Process Name: BAM ' + ' Start Time: ' + $process.StartTime; Write-Host $result}"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD591a39b91c2b22ff00c12e56878baa09b
SHA1e19e669a9c2c8fec9fb699c4c76384a105471bda
SHA256931a2eaa61178581995773a9da78f4bfd76ad27c29b44442fa1329b384a0cd96
SHA51259df651f9cab1c7b960e22d8207766cef07393b33d42f2b759bf4043cd63f2abaf08f9e1b419c6a126fb51a98468d15d34ba09caac46dfbc1a1b658c513aa2b0
-
Filesize
1KB
MD51c6fde2dec167fbabaa0168aebc5e3ef
SHA1ee72f321c123219f5c411cca491333af848512e1
SHA25635076ea62c75739f2f1434d3cdde5f975e332a13210ffab2ab63a975f300fbc9
SHA51259221096ca0c2311844e5a845bddc0e1050224f1c094592216654342aa90cfd4f15e72927f63412b3b1d3b1960df960dbd6a371fb3d5a113998c7bda72eb07d5
-
Filesize
1KB
MD591a39b91c2b22ff00c12e56878baa09b
SHA1e19e669a9c2c8fec9fb699c4c76384a105471bda
SHA256931a2eaa61178581995773a9da78f4bfd76ad27c29b44442fa1329b384a0cd96
SHA51259df651f9cab1c7b960e22d8207766cef07393b33d42f2b759bf4043cd63f2abaf08f9e1b419c6a126fb51a98468d15d34ba09caac46dfbc1a1b658c513aa2b0
-
Filesize
64B
MD5f635ff85489c6a33ce5fec6d950b7de1
SHA12248fc36e2205873fe8eb0770760c5a9e818ef68
SHA25686fe05491a248fe13867acd2679e919e148b936c7774e240191438031963d3d3
SHA512e392d2de377a9a1cec64d8b83183189612609af42b214f741807ce85f68e225fd4a1e10579bf782d2ddb7430e01b0e3a2d69c7934ef34aba1f55cdd90230c923
-
Filesize
1KB
MD51dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
Filesize
1KB
MD5c8ec8592e51b12e0530cfdb1401c5c4e
SHA19fca163abda1047dd3b02766ba2e98c1ee401a4b
SHA256c111a4b222164232daa8d725cfade5b95cf90a316a974f09ebd95a13953e65e0
SHA512b675a9b7a1b16dcc0f0e42d8a1def3f5d232c8d20322a52649d2beb82ae4fcc0eb94e59e60ddf22810e79f083baf372289fc8c92e2acf330e070f40a2aefcf94
-
Filesize
1KB
MD5e2b74f17e7a64857f2fd10d8400cf1cb
SHA138ac71a4337158a10b429b749cd2e1e123910c59
SHA2562d5e9335b7b72d168238c1b8a61501db4ace2c916b66ee0e1d982b2868e04600
SHA5124a382921a8846af227b2d76b3296df30772f0a1926bc3f5ece34b063d345755003dc01da1cd5e19702aadb913a3fab1c95c68a37041af0b89013441eaed3a0b7
-
Filesize
1KB
MD50f2485420dbf4dae87e7ee16ce390432
SHA153efb489759d89974d5a107d6111a748ce465917
SHA25641d86cd7da461064e79a7df628d2e556c50cd48a938b4d7ad32154949c2e64ab
SHA51257f4dac261fa43673e0ba732da35cac1f4b6da4efb258e6109c16b0c92adb137b8b4d989024c61cee13e84c47105d85000eb9f612277182f9613767b6cd9fd4e
-
Filesize
1KB
MD5bf3dcec964b0d1a9864ab2188050c7ea
SHA1e79641ad44523a0174525e5c929b9e4af8a456fd
SHA256cc0fe5f7025b37af1283a6b4709f1309293285786c1f67f19135e10077521530
SHA5121bbdf6546666ea766708002747b5d298fbd7e9af457cf77436b6458bb21e585344146f5d96e6ea2560f5afb15e3e221ab68b4a66729609741b0cc27df435f14f
-
Filesize
1KB
MD5e95a9b0c3e66170df349f2f4758771b5
SHA1c8e38bdb3d02d17ca9856be112dd003ef094089f
SHA256f6b29c545d3813ff4c9d4f7ce6ee3f2e4af2cbc0b11b86a464832011b412f877
SHA51253a349d092e3f5d4b9bcd44c5a82a2da1315acc7cd950b19b6ec767095f1ad9df0955863c504bcac0d0a89609c6ce7863156d84c2fd6940527ceea4de48b0fc0
-
Filesize
64B
MD5a6c9d692ed2826ecb12c09356e69cc09
SHA1def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA5122f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3
-
Filesize
1KB
MD51dffbab5ecc6d06e8b259ad505a0dc2a
SHA10938ec61e4af55d7ee9d12708fdc55c72ccb090c
SHA256a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e
SHA51293209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76
-
Filesize
1KB
MD5e3d23c68f4da40db7fd0f82123e98b16
SHA1d84df60ccfe3fecdad6a2b551d077840a07cc3bb
SHA2561d9ad2468abcb3e2a2b3150f0d60c032cbc9c859fca1ee784cb22154aabbef3e
SHA51213e69db186ace2f1d72106d699c1805f7ea166744ddb02b4e4ee6a9090b1d58f3fda7ffd6020e3e45df5989a991fcda16ee0ba860dda5afc4f2d33990efcf250
-
Filesize
1KB
MD50dbae7bd4b2586dcdd9b815408750a98
SHA1c90f9be1442b1159f35b9ad7d0e5bc7891ae4598
SHA2568259212c64f10d1b2d2f4c9322efa9a0dcc982eaa1f92a4cf9859b6b67bc01db
SHA5126acce90bdd9aa982826d4b1c915d61a39a4bb72480c2b86e7bc76f700541832897d95fb5b9c181f9a74f2da14b0a655244d653c429e1fe3038e03d2714ecf4c4
-
Filesize
1KB
MD5d910cf73795a458561f955775a11281a
SHA1beb94de06b1b3cebcd2932a1c6164720c83d1662
SHA2561376f0377beb680b9cea0223c387c37487efde87027ae42c485d34b627e0f5b7
SHA512429a346f91d865b60cb1ae108579d2e9602dd78e6c67f31b4cb271fcda008333b1ca43e5989f91d0a353255adabef4c353198069b21d93f80c129516d94c08ec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD591ab1f5e3d2e2cbfccb50c6d32de8c10
SHA14b31fad41372f637ece3a1ce2d8e14ea7e92fbad
SHA2565b973ca7abef755863bcf303f97cf885f675c23fbc022c0d47ce82606c98ec97
SHA5124a9f6ed998f4f2127127f5bd552d3897f626f9a21d5e3d3cc7e0c10cb3d00e5b9e554af59ba6b7b7cbefd14671767b23db0ba374915ea370b0c3141603d5d793