bdad3c5e278a03a2f3109b84708819cc6a1f9f02ab1e83f07603f63f9916d6ce

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

genshin_global.exe
Size

37.9MB
MD5

82ebc7d0252a5361d7ca066be6551b93
SHA1

8f33fbbdd51b5dc5339c0eb2e414860cf6f04fd9
SHA256

bdad3c5e278a03a2f3109b84708819cc6a1f9f02ab1e83f07603f63f9916d6ce
SHA512

260777c752cb2d14f7c0f667c81f4a4c9d54331cfe5b574609c073180458bff25f0db1dc81bd4023df32d34a9856ec0f10e6feaf6966a2567aa9fc37f203704b
SSDEEP

786432:WQgBUWLP5jxIkTcypX3maertehppms20j17CfCCw6EGLdWiovCah5e7Y:TAUW1FIkwYXWjepmEj1yCDGLdW3aaPek

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	644	schtasks.exe	34

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
1800	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
2724	gn_HypersurrogatesavesDhcp.exe
2880	conhost_gm.exe
2756	svchost.exe
1800	svchost.exe
2820	wininit.exe
480	Process not Found
1744	VC_redist.x64.exe

Loads dropped DLL 7 IoCs

pid	Process
2028	w32tm.exe
2028	w32tm.exe
2028	w32tm.exe
2028	w32tm.exe
2028	w32tm.exe
2756	svchost.exe
480	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ipinfo.io
11	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	conhost_gm.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	VC_redist.x64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2028	genshin_global.exe
2756	svchost.exe
2756	svchost.exe
1800	svchost.exe
1800	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1932	1744	VC_redist.x64.exe	89

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\dllhost.exe	gn_HypersurrogatesavesDhcp.exe
File opened for modification	C:\Program Files\DVD Maker\dllhost.exe	gn_HypersurrogatesavesDhcp.exe
File created	C:\Program Files\DVD Maker\5940a34987c991	gn_HypersurrogatesavesDhcp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\wininit.exe	gn_HypersurrogatesavesDhcp.exe
File created	C:\Windows\fr-FR\56085415360792	gn_HypersurrogatesavesDhcp.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2328	sc.exe
1408	sc.exe
2696	sc.exe
1436	sc.exe
1592	sc.exe
952	sc.exe
912	sc.exe
2008	sc.exe
896	sc.exe
1136	sc.exe
1568	sc.exe
2780	sc.exe
2424	sc.exe
1052	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1652	schtasks.exe
576	schtasks.exe
2324	schtasks.exe
452	schtasks.exe
2836	schtasks.exe
1472	schtasks.exe
1280	schtasks.exe
716	schtasks.exe
2008	schtasks.exe
2388	schtasks.exe
1536	schtasks.exe
852	schtasks.exe
932	schtasks.exe
1612	schtasks.exe
2516	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 807869d82546da01	powershell.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	wininit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	wininit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	wininit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	wininit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	wininit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	powershell.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe
2724	gn_HypersurrogatesavesDhcp.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	gn_HypersurrogatesavesDhcp.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeIncBasePriorityPrivilege	2756	svchost.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2428	conhost.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2820	wininit.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeShutdownPrivilege	1032	powercfg.exe
Token: SeShutdownPrivilege	2928	powercfg.exe
Token: SeShutdownPrivilege	296	powercfg.exe
Token: SeShutdownPrivilege	2184	powercfg.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeShutdownPrivilege	2784	powercfg.exe
Token: SeShutdownPrivilege	2192	powercfg.exe
Token: SeShutdownPrivilege	2240	powercfg.exe
Token: SeShutdownPrivilege	1244	powercfg.exe
Token: SeDebugPrivilege	1800	svchost.exe
Token: SeDebugPrivilege	1800	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	genshin_global.exe
1800	svchost.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2220	2028	w32tm.exe	28
PID 2028 wrote to memory of 2220	2028	w32tm.exe	28
PID 2028 wrote to memory of 2220	2028	w32tm.exe	28
PID 2028 wrote to memory of 2220	2028	w32tm.exe	28
PID 2028 wrote to memory of 2724	2028	w32tm.exe	30
PID 2028 wrote to memory of 2724	2028	w32tm.exe	30
PID 2028 wrote to memory of 2724	2028	w32tm.exe	30
PID 2028 wrote to memory of 2724	2028	w32tm.exe	30
PID 2028 wrote to memory of 2880	2028	w32tm.exe	32
PID 2028 wrote to memory of 2880	2028	w32tm.exe	32
PID 2028 wrote to memory of 2880	2028	w32tm.exe	32
PID 2028 wrote to memory of 2880	2028	w32tm.exe	32
PID 2028 wrote to memory of 2756	2028	w32tm.exe	31
PID 2028 wrote to memory of 2756	2028	w32tm.exe	31
PID 2028 wrote to memory of 2756	2028	w32tm.exe	31
PID 2028 wrote to memory of 2756	2028	w32tm.exe	31
PID 2756 wrote to memory of 1800	2756	svchost.exe	41
PID 2756 wrote to memory of 1800	2756	svchost.exe	41
PID 2756 wrote to memory of 1800	2756	svchost.exe	41
PID 2724 wrote to memory of 1044	2724	gn_HypersurrogatesavesDhcp.exe	60
PID 2724 wrote to memory of 1044	2724	gn_HypersurrogatesavesDhcp.exe	60
PID 2724 wrote to memory of 1044	2724	gn_HypersurrogatesavesDhcp.exe	60
PID 2724 wrote to memory of 1940	2724	gn_HypersurrogatesavesDhcp.exe	59
PID 2724 wrote to memory of 1940	2724	gn_HypersurrogatesavesDhcp.exe	59
PID 2724 wrote to memory of 1940	2724	gn_HypersurrogatesavesDhcp.exe	59
PID 2724 wrote to memory of 1036	2724	gn_HypersurrogatesavesDhcp.exe	58
PID 2724 wrote to memory of 1036	2724	gn_HypersurrogatesavesDhcp.exe	58
PID 2724 wrote to memory of 1036	2724	gn_HypersurrogatesavesDhcp.exe	58
PID 2724 wrote to memory of 1012	2724	gn_HypersurrogatesavesDhcp.exe	57
PID 2724 wrote to memory of 1012	2724	gn_HypersurrogatesavesDhcp.exe	57
PID 2724 wrote to memory of 1012	2724	gn_HypersurrogatesavesDhcp.exe	57
PID 2724 wrote to memory of 2428	2724	gn_HypersurrogatesavesDhcp.exe	74
PID 2724 wrote to memory of 2428	2724	gn_HypersurrogatesavesDhcp.exe	74
PID 2724 wrote to memory of 2428	2724	gn_HypersurrogatesavesDhcp.exe	74
PID 2724 wrote to memory of 1624	2724	gn_HypersurrogatesavesDhcp.exe	101
PID 2724 wrote to memory of 1624	2724	gn_HypersurrogatesavesDhcp.exe	101
PID 2724 wrote to memory of 1624	2724	gn_HypersurrogatesavesDhcp.exe	101
PID 1624 wrote to memory of 2180	1624	conhost.exe	48
PID 1624 wrote to memory of 2180	1624	conhost.exe	48
PID 1624 wrote to memory of 2180	1624	conhost.exe	48
PID 1624 wrote to memory of 2028	1624	conhost.exe	47
PID 1624 wrote to memory of 2028	1624	conhost.exe	47
PID 1624 wrote to memory of 2028	1624	conhost.exe	47
PID 1624 wrote to memory of 2820	1624	conhost.exe	65
PID 1624 wrote to memory of 2820	1624	conhost.exe	65
PID 1624 wrote to memory of 2820	1624	conhost.exe	65
PID 716 wrote to memory of 932	716	cmd.exe	69
PID 716 wrote to memory of 932	716	cmd.exe	69
PID 716 wrote to memory of 932	716	cmd.exe	69
PID 332 wrote to memory of 2200	332	cmd.exe	100
PID 332 wrote to memory of 2200	332	cmd.exe	100
PID 332 wrote to memory of 2200	332	cmd.exe	100
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89
PID 1744 wrote to memory of 1932	1744	VC_redist.x64.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\genshin_global.exe
"C:\Users\Admin\AppData\Local\Temp\genshin_global.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZwBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AdABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAYwBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAdAB5ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Users\Admin\AppData\Roaming\gn_HypersurrogatesavesDhcp.exe
  "C:\Users\Admin\AppData\Roaming\gn_HypersurrogatesavesDhcp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cX7NfiwW0X.bat"
    3⤵
    PID:1624
  - - C:\Windows\fr-FR\wininit.exe
      "C:\Windows\fr-FR\wininit.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'
    3⤵
    PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\wininit.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\services.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\smss.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\dllhost.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\24FE.tmp\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1800
- C:\Users\Admin\AppData\Roaming\conhost_gm.exe
  "C:\Users\Admin\AppData\Roaming\conhost_gm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1136
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "driverupdate"
    3⤵
    - Launches sc.exe
    PID:2328
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "driverupdate"
    3⤵
    - Launches sc.exe
    PID:2696
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:952
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2424
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:912
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2008
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\dllhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\463aa442-9b96-11ee-b087-e6b52eba4e86\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716
- C:\Windows\system32\wusa.exe
  wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Drops file in Windows directory
  PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1744460364-4543402241550728798-1328349938-10665428992022628953-1596425225-1291357964"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1408
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1052
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1436
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
- Drops file in Windows directory
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "172570132121343116581741742036-1552154427424429324-121413593-1162193859-534159380"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
206cc70cb1eb3d79ede3095865a78e79

SHA1
1beff47970bf51ec862a1789ae8b4a1822454bbc

SHA256
c85b8dc918c687a8a9dc05b408b95cb5980f61dfa8bead2e376ec13a360185b3

SHA512
78d0d2e0bf95cd6f0b418964ca951dbad454c4bbb16f4b353ea841e713ddb39ddc9584c05915cf9a6104981cffa4b5a13c86fb7683f352f21b064cf6c67740d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e844375dff0df4ff8900bed2e4645a72

SHA1
f3cc8e3f6e0505563a6d17e3ce95c2cc8fc1ef8f

SHA256
bc95546fe95f7ab6e292bc49f89a18b0e68ed407e0d173ca8ec2933242d4968a

SHA512
b382d2fc74711eeb3871dbd843f0e7879acfdabc1d3e896c36e039bfaee840dd0d1d212d92859fdee2513bd7e1e51315d7c0b796c979e97d1959e43e79f7f4ad

Download Submit
C:\Users\Admin\AppData\Roaming\gn_HypersurrogatesavesDhcp.exe

Filesize
19KB

MD5
c89972a8e6df66d600e3217637478050

SHA1
5d92a457b746de2911ae35b8f1c0077544f1c3a3

SHA256
63690577985d70a5c98c9e1dbd58b645875b832c8d6af7bd2a2d670e36854fdb

SHA512
a1ea3bbb346f87774db930310cb9112a8ebf77c209c94c37fe5d774c43ecc44555442ed1f4e55e5b397c388a2c02450dd37e9d684ae723d7e3b1ee6338553927

Download Submit
C:\Users\Admin\AppData\Roaming\gn_HypersurrogatesavesDhcp.exe

Filesize
930KB

MD5
4c61e306b759b3cef561adfd32658f3f

SHA1
644366f2a3f1b893959f232387969b38c8914df1

SHA256
896d7b06c8b74e10869c79779bbbcd5a3dfb5612692af5cc9103bea20ba8fb69

SHA512
32e886141934be5e2076fed6d5826cbeb0661a22c4882afd5be4dafd4757d7fb313c0ec1f6cbe7fde00b1f50741cc4667be23e936b4b91f28f8768ad4376763e

Download Submit
C:\Users\Admin\AppData\Roaming\gn_HypersurrogatesavesDhcp.exe

Filesize
21KB

MD5
fba960d26c3acabe135cc1933271a8cf

SHA1
edf8f2d88a2226945c76973ade0170ea25e25b1a

SHA256
df07c7b0aa343a7525c1825b9d81dea46d01d1214abcdcf7bffb963f2bd593de

SHA512
f1f694a18d2ab34b9cc6b333893b3fc70104d07a592dfcd3774e96d3cd2941ee13c471e1a1a2f845770eac72af2a472fc83e266b1d2290ac5fe9b60b2559073c

Download Submit
\Users\Admin\AppData\Roaming\conhost_gm.exe

Filesize
925KB

MD5
5fdfe33925ef98372503fd1a149542d8

SHA1
c577f7ee16ca617a39a05071d8baf41d6de28315

SHA256
fb9bfbdae7fcf29d3b77e85f4a31906c4a72ae5d66905e535475157284bdb41d

SHA512
eb195d497ad650648acd08d93f533dcbe042b89944e27b7aefb81288091fe6d092275f06b307c4883ced253df2a29069aba980f59d7008fc9b124e16b8f5311e

Download Submit
\Users\Admin\AppData\Roaming\conhost_gm.exe

Filesize
416KB

MD5
93b3e309e08365ef532f783fcd3322d6

SHA1
3d30ea79248fc870d0fe36b8044add83ebec7cdd

SHA256
e3f2d4bcdb8a44324ec3434e8c177e56c9bdcfb4c5dd059758cd91eef42ce9fd

SHA512
b167f659f4add67be6d6ca64fe298362361abfaf8bf6a0f90ff306a3f4ceedc3bd39a2282b305798efa64cb564faf92c3ce12b871bce01370a690362110acdfd

Download Submit
\Users\Admin\AppData\Roaming\gn_HypersurrogatesavesDhcp.exe

Filesize
896KB

MD5
54a72f1534c5f1f49725f005d4c9de51

SHA1
37758a24223ed4dc2d31734815dab0dd06f3a324

SHA256
4823dc7b148766b933814817f88232fa8c82c36a31ac39693515d86c8763c1cb

SHA512
9e1ee398166d3b002b5a84b0f731a30a5a718b5e49ba8407fa827deb27ed910cc7eb3f4321bd363657b14b451c345bb5a2b98135bd20a9ad08d3dc5770662a3c

Download Submit
\Users\Admin\AppData\Roaming\gn_HypersurrogatesavesDhcp.exe

Filesize
47KB

MD5
d252e012ed6f7ec1e4aae6373b908f08

SHA1
5673b91eff4f0c30b32c72554151533eb73acb32

SHA256
96ac6162e315eef73e5a22010bd4942eff3706023c3088bd5e183289692637af

SHA512
0c4329651d763574a0f7403cac4d173dec589954a77bf10e17711f4c22f230726c1c9840543f69991190c99fac383a6ee77782868f60863372a45eeab9444090

Download Submit
memory/1012-176-0x000007FEED940000-0x000007FEEE2DD000-memory.dmp

Filesize
9.6MB

Download
memory/1012-178-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1012-182-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1012-181-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download
memory/1012-180-0x000007FEED940000-0x000007FEEE2DD000-memory.dmp

Filesize
9.6MB

Download
memory/1036-165-0x0000000002B1B000-0x0000000002B82000-memory.dmp

Filesize
412KB

Download
memory/1036-166-0x0000000002B14000-0x0000000002B17000-memory.dmp

Filesize
12KB

Download
memory/1036-167-0x000007FEED940000-0x000007FEEE2DD000-memory.dmp

Filesize
9.6MB

Download
memory/1036-143-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/1036-141-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1044-175-0x000007FEED940000-0x000007FEEE2DD000-memory.dmp

Filesize
9.6MB

Download
memory/1044-170-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1044-179-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1940-174-0x000007FEED940000-0x000007FEEE2DD000-memory.dmp

Filesize
9.6MB

Download
memory/1940-177-0x0000000002DE4000-0x0000000002DE7000-memory.dmp

Filesize
12KB

Download
memory/1940-169-0x0000000002DE0000-0x0000000002E60000-memory.dmp

Filesize
512KB

Download
memory/1940-173-0x000007FEED940000-0x000007FEEE2DD000-memory.dmp

Filesize
9.6MB

Download
memory/2028-26-0x0000000000400000-0x0000000003151000-memory.dmp

Filesize
45.3MB

Download
memory/2028-29-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2028-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2028-0-0x0000000000400000-0x0000000003151000-memory.dmp

Filesize
45.3MB

Download
memory/2220-36-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-35-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-33-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2220-32-0x0000000074360000-0x000000007490B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-31-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2428-168-0x000007FEED940000-0x000007FEEE2DD000-memory.dmp

Filesize
9.6MB

Download
memory/2428-171-0x0000000002B04000-0x0000000002B07000-memory.dmp

Filesize
12KB

Download
memory/2428-172-0x0000000002B0B000-0x0000000002B72000-memory.dmp

Filesize
412KB

Download
memory/2724-50-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2724-66-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-19-0x0000000000F60000-0x000000000104A000-memory.dmp

Filesize
936KB

Download
memory/2724-30-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-34-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-38-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/2724-153-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-40-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/2724-42-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2724-45-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2724-47-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2724-52-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2724-54-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2724-56-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2724-58-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-57-0x0000000077750000-0x0000000077751000-memory.dmp

Filesize
4KB

Download
memory/2724-48-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/2724-60-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-61-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-62-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-63-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-65-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-67-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-64-0x000000001ADC0000-0x000000001AE40000-memory.dmp

Filesize
512KB

Download
memory/2724-59-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-43-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2724-39-0x00000000777C0000-0x00000000777C1000-memory.dmp

Filesize
4KB

Download
memory/2756-81-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/2756-88-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/2756-79-0x00000000779F0000-0x0000000077B99000-memory.dmp

Filesize
1.7MB

Download
memory/2756-68-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

Filesize
8KB

Download
memory/2756-128-0x00000000779F0000-0x0000000077B99000-memory.dmp

Filesize
1.7MB

Download
memory/2756-70-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

Filesize
8KB

Download
memory/2756-72-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

Filesize
8KB

Download
memory/2756-73-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

Filesize
8KB

Download
memory/2756-75-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

Filesize
8KB

Download
memory/2756-77-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

Filesize
8KB

Download
memory/2756-78-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/2756-114-0x000007FEFDB60000-0x000007FEFDB62000-memory.dmp

Filesize
8KB

Download
memory/2756-83-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/2756-84-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/2756-86-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/2756-94-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

Filesize
8KB

Download
memory/2756-89-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2756-91-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2756-93-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2756-96-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

Filesize
8KB

Download
memory/2756-98-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

Filesize
8KB

Download
memory/2756-101-0x000007FEFDB50000-0x000007FEFDB52000-memory.dmp

Filesize
8KB

Download
memory/2756-110-0x000007FEFDB60000-0x000007FEFDB62000-memory.dmp

Filesize
8KB

Download
memory/2756-105-0x000007FEFDB50000-0x000007FEFDB52000-memory.dmp

Filesize
8KB

Download
memory/2756-117-0x0000000140000000-0x0000000143F95000-memory.dmp

Filesize
63.6MB

Download
memory/2820-190-0x00000000777B0000-0x00000000777B1000-memory.dmp

Filesize
4KB

Download
memory/2820-195-0x0000000077790000-0x0000000077791000-memory.dmp

Filesize
4KB

Download
memory/2820-193-0x00000000777A0000-0x00000000777A1000-memory.dmp

Filesize
4KB

Download
memory/2820-189-0x00000000777C0000-0x00000000777C1000-memory.dmp

Filesize
4KB

Download
memory/2820-187-0x00000000009D0000-0x0000000000A50000-memory.dmp

Filesize
512KB

Download
memory/2820-185-0x0000000000E00000-0x0000000000EEA000-memory.dmp

Filesize
936KB

Download
memory/2820-186-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

Filesize
9.9MB

Download