5dfa7816c521fa59c1e558ca48e39632257afa88b97b901160e2ff97ad63e681

Analysis

max time kernel
80s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beta.exe
Size

139.5MB
MD5

809ca215de4598350eaeddb5a94ebbba
SHA1

caccfadb6b96dc6155696f6309c3ea492078bb5c
SHA256

0f702f8ac538e810649808f0d9b6000e1aa4360849633c0ed76ec36e2cfc8332
SHA512

1521a30cf760277a24ed1446d29eb71af297582ac2d8b4546a322ec9690a8094963a194d7f2fdec65e2e59673c8f912557182e673af8d46cd29bd20989cdae36
SSDEEP

786432:f14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:f14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	beta.exe

Loads dropped DLL 2 IoCs

pid	Process
3352	beta.exe
3352	beta.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupMatZyd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\WindowsDriverSetup.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
59	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ipinfo.io
42	ipinfo.io
43	ipinfo.io
49	ipinfo.io

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3680	WMIC.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4568	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4964	WMIC.exe

Enumerates processes with tasklist 1 TTPs 25 IoCs

Process Discovery

T1057

pid	Process
4328	tasklist.exe
4956	tasklist.exe
3088	tasklist.exe
1336	tasklist.exe
4720	tasklist.exe
4320	tasklist.exe
2412	tasklist.exe
4452	tasklist.exe
4304	tasklist.exe
2144	tasklist.exe
1484	tasklist.exe
2360	tasklist.exe
2680	tasklist.exe
436	tasklist.exe
4928	tasklist.exe
948	tasklist.exe
4604	tasklist.exe
436	tasklist.exe
1304	tasklist.exe
4884	tasklist.exe
4376	tasklist.exe
1872	tasklist.exe
3744	tasklist.exe
2352	tasklist.exe
2668	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3352	beta.exe
3352	beta.exe
3352	beta.exe
3352	beta.exe
384	beta.exe
384	beta.exe
448	powershell.exe
448	powershell.exe
3480	powershell.exe
3480	powershell.exe
1072	powershell.exe
1072	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	tasklist.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeIncreaseQuotaPrivilege	2460	WMIC.exe
Token: SeSecurityPrivilege	2460	WMIC.exe
Token: SeTakeOwnershipPrivilege	2460	WMIC.exe
Token: SeLoadDriverPrivilege	2460	WMIC.exe
Token: SeSystemProfilePrivilege	2460	WMIC.exe
Token: SeSystemtimePrivilege	2460	WMIC.exe
Token: SeProfSingleProcessPrivilege	2460	WMIC.exe
Token: SeIncBasePriorityPrivilege	2460	WMIC.exe
Token: SeCreatePagefilePrivilege	2460	WMIC.exe
Token: SeBackupPrivilege	2460	WMIC.exe
Token: SeRestorePrivilege	2460	WMIC.exe
Token: SeShutdownPrivilege	2460	WMIC.exe
Token: SeDebugPrivilege	2460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2460	WMIC.exe
Token: SeRemoteShutdownPrivilege	2460	WMIC.exe
Token: SeUndockPrivilege	2460	WMIC.exe
Token: SeManageVolumePrivilege	2460	WMIC.exe
Token: 33	2460	WMIC.exe
Token: 34	2460	WMIC.exe
Token: 35	2460	WMIC.exe
Token: 36	2460	WMIC.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeIncreaseQuotaPrivilege	2460	WMIC.exe
Token: SeSecurityPrivilege	2460	WMIC.exe
Token: SeTakeOwnershipPrivilege	2460	WMIC.exe
Token: SeLoadDriverPrivilege	2460	WMIC.exe
Token: SeSystemProfilePrivilege	2460	WMIC.exe
Token: SeSystemtimePrivilege	2460	WMIC.exe
Token: SeProfSingleProcessPrivilege	2460	WMIC.exe
Token: SeIncBasePriorityPrivilege	2460	WMIC.exe
Token: SeCreatePagefilePrivilege	2460	WMIC.exe
Token: SeBackupPrivilege	2460	WMIC.exe
Token: SeRestorePrivilege	2460	WMIC.exe
Token: SeShutdownPrivilege	2460	WMIC.exe
Token: SeDebugPrivilege	2460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2460	WMIC.exe
Token: SeRemoteShutdownPrivilege	2460	WMIC.exe
Token: SeUndockPrivilege	2460	WMIC.exe
Token: SeManageVolumePrivilege	2460	WMIC.exe
Token: 33	2460	WMIC.exe
Token: 34	2460	WMIC.exe
Token: 35	2460	WMIC.exe
Token: 36	2460	WMIC.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeShutdownPrivilege	3352	beta.exe
Token: SeCreatePagefilePrivilege	3352	beta.exe
Token: SeIncreaseQuotaPrivilege	3680	WMIC.exe
Token: SeSecurityPrivilege	3680	WMIC.exe
Token: SeTakeOwnershipPrivilege	3680	WMIC.exe
Token: SeLoadDriverPrivilege	3680	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1916	3352	beta.exe	85
PID 3352 wrote to memory of 1916	3352	beta.exe	85
PID 1916 wrote to memory of 436	1916	cmd.exe	87
PID 1916 wrote to memory of 436	1916	cmd.exe	87
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 4508	3352	beta.exe	88
PID 3352 wrote to memory of 384	3352	beta.exe	89
PID 3352 wrote to memory of 384	3352	beta.exe	89
PID 3352 wrote to memory of 2392	3352	beta.exe	91
PID 3352 wrote to memory of 2392	3352	beta.exe	91
PID 2392 wrote to memory of 2460	2392	cmd.exe	93
PID 2392 wrote to memory of 2460	2392	cmd.exe	93
PID 3352 wrote to memory of 2060	3352	beta.exe	94
PID 3352 wrote to memory of 2060	3352	beta.exe	94
PID 3352 wrote to memory of 4128	3352	beta.exe	95
PID 3352 wrote to memory of 4128	3352	beta.exe	95
PID 2060 wrote to memory of 1872	2060	cmd.exe	98
PID 2060 wrote to memory of 1872	2060	cmd.exe	98
PID 4128 wrote to memory of 1112	4128	cmd.exe	99
PID 4128 wrote to memory of 1112	4128	cmd.exe	99
PID 3352 wrote to memory of 560	3352	beta.exe	100
PID 3352 wrote to memory of 560	3352	beta.exe	100
PID 3352 wrote to memory of 1300	3352	beta.exe	101
PID 3352 wrote to memory of 1300	3352	beta.exe	101
PID 3352 wrote to memory of 3964	3352	beta.exe	109
PID 3352 wrote to memory of 3964	3352	beta.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3724	attrib.exe

C:\Users\Admin\AppData\Local\Temp\beta.exe
"C:\Users\Admin\AppData\Local\Temp\beta.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- C:\Users\Admin\AppData\Local\Temp\beta.exe
  "C:\Users\Admin\AppData\Local\Temp\beta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1752,9502403844882929531,15714664240867216800,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4508
- C:\Users\Admin\AppData\Local\Temp\beta.exe
  "C:\Users\Admin\AppData\Local\Temp\beta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1960 --field-trial-handle=1752,9502403844882929531,15714664240867216800,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3352 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3352 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:1112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
  2⤵
  PID:560
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get size
    3⤵
    - Collects information from the system
    - Suspicious use of AdjustPrivilegeToken
    PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
  2⤵
  PID:1300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    PID:2648
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
  2⤵
  PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:1980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:1236
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:3964
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:4648
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4844
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:4576
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4964
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:3744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3352 get ExecutablePath"
  2⤵
  PID:1668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3352 get ExecutablePath
    3⤵
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupMatZyd /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe /f"
  2⤵
  PID:2636
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupMatZyd /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe /f
    3⤵
    - Adds Run key to start application
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupMatZyd /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\" /F /rl highest"
  2⤵
  PID:3992
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupMatZyd /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\" /F /rl highest
    3⤵
    PID:2496
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupMatZyd /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\" /F /rl highest
      4⤵
      Creates scheduled task(s)
      PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\"""
  2⤵
  PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1072
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe
      4⤵
      Views/modifies file attributes
      PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1476
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\ZobuihFFlHp5.vbs"
  2⤵
  PID:944
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\ZobuihFFlHp5.vbs
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3636
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4520
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3048
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4936
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4108
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3344
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4532
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4444
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:392
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3420
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e6ab081-1cc6-4963-a65f-9e1f20937a03.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtp1ol5b.jsz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5f106b5-1679-4f9f-9edd-eee31a47a651.tmp.node

Filesize
656KB

MD5
788a631f0fa606ca6b1332febad3cdce

SHA1
61283245cc3d46bd65e0965cfaf890eec4c1e944

SHA256
4f6924ce99fe122590302d42d9b818a09758c88a5e17e82afa0cf5de3485aefe

SHA512
b84d5355e7ef4e471c772a94c17d93efa2d62545bb8cf19cacf28f679083f1619acbb98a5f185ea50e5fa659020b583a2a4b23b671d0464c30f7770c73320421

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\WindowsDriverSetup.exe

Filesize
3.6MB

MD5
97541279f291d8d5d1b5fe1d94a4f6ea

SHA1
ed006e24796be8863bf5f75a46437a43ab655440

SHA256
5053b3187db3e3671aafb4d2dac36c9b85c07a6581d6d15209e62eb717f42a9a

SHA512
996caa03f1dd22ebe10310004892edda7a06dc03802618cfbe0e4ec3175faeeddc66940438538057964046cb58aea426fdd342b087b915805f1a81d337d90f81

Download Submit
C:\Users\Admin\AppData\Roaming\ZobuihFFlHp5.vbs

Filesize
206B

MD5
54e966d7ecd405654a81432ec6f0eb9e

SHA1
e07f3f11b1c80f18ffb09a646c1351bfc18f1b46

SHA256
274bd37f43c3decfdf966beb9f45f2b71ab921b4d77d4637c2aed4385fb05f84

SHA512
c7b910c7716b13b693c1024a7afc96ebb51afb88f584b1ae8912267bbea485f698cba2c86e5670263d0df9c13b67a24fa0af17f26409d6244ad0382dc1c18cff

Download Submit
memory/448-34-0x00000134242B0000-0x00000134242D2000-memory.dmp

Filesize
136KB

Download
memory/448-81-0x00007FF910830000-0x00007FF9112F1000-memory.dmp

Filesize
10.8MB

Download
memory/448-40-0x00007FF910830000-0x00007FF9112F1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-76-0x00007FF9107C0000-0x00007FF911281000-memory.dmp

Filesize
10.8MB

Download
memory/1072-71-0x00007FF9107C0000-0x00007FF911281000-memory.dmp

Filesize
10.8MB

Download
memory/1072-73-0x000001E6D7710000-0x000001E6D7720000-memory.dmp

Filesize
64KB

Download
memory/1072-72-0x000001E6D7710000-0x000001E6D7720000-memory.dmp

Filesize
64KB

Download
memory/3480-42-0x0000028255A00000-0x0000028255A10000-memory.dmp

Filesize
64KB

Download
memory/3480-56-0x00007FF910830000-0x00007FF9112F1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-41-0x0000028255A00000-0x0000028255A10000-memory.dmp

Filesize
64KB

Download
memory/3480-82-0x00007FF910830000-0x00007FF9112F1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-10-0x00007FF9304D0000-0x00007FF9304D1000-memory.dmp

Filesize
4KB

Download