b2758aecc19fd55a13c86e9893c5184278c0394dcfaa1639d052d80e08ab5ceb

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arctic-workspace.exe
Size

139.5MB
MD5

c9c7a67893d86bc9c8756d5cfe004e65
SHA1

c02f47a6085e7b358fde9e5b4c82416018f720c3
SHA256

eaa6705b9d9229e2e214c57f990d51fb4fa6b0e0f7ade9a08bc58c76811a6210
SHA512

9b682aa06cec332c5d2f16d47046dc00a344f283d1638ff05610d03439ea61b92e9eb7a011646f837c2b9e5962986143eb6551531f2ccdfa785cdf1f62b033d3
SSDEEP

786432:/14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:/14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3984	arctic-workspace.exe
3984	arctic-workspace.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com
37	raw.githubusercontent.com
29	raw.githubusercontent.com
31	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ipinfo.io
18	ipinfo.io
19	ipinfo.io
22	ipinfo.io

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3472	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1732	WMIC.exe

Enumerates processes with tasklist 1 TTPs 21 IoCs

Process Discovery

T1057

pid	Process
2564	tasklist.exe
612	tasklist.exe
5156	tasklist.exe
2832	tasklist.exe
3936	tasklist.exe
1428	tasklist.exe
456	tasklist.exe
2912	tasklist.exe
1432	tasklist.exe
3884	tasklist.exe
5176	tasklist.exe
3148	tasklist.exe
4552	tasklist.exe
4760	tasklist.exe
4804	tasklist.exe
4932	tasklist.exe
2436	tasklist.exe
4532	tasklist.exe
3140	tasklist.exe
4024	tasklist.exe
804	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3984	arctic-workspace.exe
3984	arctic-workspace.exe
3984	arctic-workspace.exe
3984	arctic-workspace.exe
2712	arctic-workspace.exe
2712	arctic-workspace.exe
1644	powershell.exe
1644	powershell.exe
1644	powershell.exe
660	powershell.exe
660	powershell.exe
660	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3984	arctic-workspace.exe
Token: SeCreatePagefilePrivilege	3984	arctic-workspace.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: 36	1640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: 36	1640	WMIC.exe
Token: SeDebugPrivilege	3148	tasklist.exe
Token: SeShutdownPrivilege	3984	arctic-workspace.exe
Token: SeCreatePagefilePrivilege	3984	arctic-workspace.exe
Token: SeIncreaseQuotaPrivilege	4884	WMIC.exe
Token: SeSecurityPrivilege	4884	WMIC.exe
Token: SeTakeOwnershipPrivilege	4884	WMIC.exe
Token: SeLoadDriverPrivilege	4884	WMIC.exe
Token: SeSystemProfilePrivilege	4884	WMIC.exe
Token: SeSystemtimePrivilege	4884	WMIC.exe
Token: SeProfSingleProcessPrivilege	4884	WMIC.exe
Token: SeIncBasePriorityPrivilege	4884	WMIC.exe
Token: SeCreatePagefilePrivilege	4884	WMIC.exe
Token: SeBackupPrivilege	4884	WMIC.exe
Token: SeRestorePrivilege	4884	WMIC.exe
Token: SeShutdownPrivilege	4884	WMIC.exe
Token: SeDebugPrivilege	4884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4884	WMIC.exe
Token: SeRemoteShutdownPrivilege	4884	WMIC.exe
Token: SeUndockPrivilege	4884	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3380	3984	arctic-workspace.exe	89
PID 3984 wrote to memory of 3380	3984	arctic-workspace.exe	89
PID 3380 wrote to memory of 2912	3380	cmd.exe	91
PID 3380 wrote to memory of 2912	3380	cmd.exe	91
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2624	3984	arctic-workspace.exe	92
PID 3984 wrote to memory of 2712	3984	arctic-workspace.exe	93
PID 3984 wrote to memory of 2712	3984	arctic-workspace.exe	93
PID 3984 wrote to memory of 5060	3984	arctic-workspace.exe	95
PID 3984 wrote to memory of 5060	3984	arctic-workspace.exe	95
PID 5060 wrote to memory of 1640	5060	cmd.exe	97
PID 5060 wrote to memory of 1640	5060	cmd.exe	97
PID 3984 wrote to memory of 4136	3984	arctic-workspace.exe	98
PID 3984 wrote to memory of 4136	3984	arctic-workspace.exe	98
PID 3984 wrote to memory of 4900	3984	arctic-workspace.exe	99
PID 3984 wrote to memory of 4900	3984	arctic-workspace.exe	99
PID 4900 wrote to memory of 888	4900	cmd.exe	102
PID 4900 wrote to memory of 888	4900	cmd.exe	102
PID 4136 wrote to memory of 3148	4136	cmd.exe	103
PID 4136 wrote to memory of 3148	4136	cmd.exe	103
PID 888 wrote to memory of 3776	888	net.exe	104
PID 888 wrote to memory of 3776	888	net.exe	104
PID 3984 wrote to memory of 4904	3984	arctic-workspace.exe	105
PID 3984 wrote to memory of 4904	3984	arctic-workspace.exe	105
PID 3984 wrote to memory of 4484	3984	arctic-workspace.exe	106
PID 3984 wrote to memory of 4484	3984	arctic-workspace.exe	106

C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
  "C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1688,18231557175562518784,5925484016363839238,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
  "C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1956 --field-trial-handle=1688,18231557175562518784,5925484016363839238,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3984 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3984 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
  2⤵
  PID:4904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get size
    3⤵
    - Collects information from the system
    PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
  2⤵
  PID:4484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    PID:2148
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:4692
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:4932
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:4472
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:5008
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1732
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:4412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3984 get ExecutablePath"
  2⤵
  PID:1316
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1388
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3984 get ExecutablePath
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2880
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1736
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1760
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4472
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1496
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1948
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4852
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1204
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2864
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2424
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3668
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:216
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2404
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:844
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\dJg5viEusaEz.vbs"
  2⤵
  PID:3672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4268
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\dJg5viEusaEz.vbs
    3⤵
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:1144
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d423418-4eb7-4398-ae2f-ee0c7b2cda14.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\74df109b-07bd-4d05-b4c4-d598ad10bebe.tmp.node

Filesize
570KB

MD5
8d6741bd289ab38af551245aecfa5dc0

SHA1
092be70c04d3109d8fbd3b30d1dcddd500b8e2dc

SHA256
bd863862e7b46dfdcd79191130823aa4ac71555321d847154c6190671294e21d

SHA512
f6a53abebe5d3971549071ec7f2982c5b48f09a8df48bd8b1d2ad939d3ee468220a022f8c4088c504811ad7073e0712a9d951ee25893f05f999cbbc45faccdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0uoyyubk.yxe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\dJg5viEusaEz.vbs

Filesize
178B

MD5
6a7d07c4edd5a056d5bf03553c06fccb

SHA1
386002f42c0cd5dedc5b60a4d23b07d364874980

SHA256
3db5a469984ee53dfbad74834e3ba62feab5e977543f515b3a17b08c3ef4de23

SHA512
ed6aef524bebbfddc075851325b81ecd947bf99a05a4931c7dac0f9ea374524d6fa3da25275194d6c6d57c9cc28d3f006afe92e9b8c076ae8e1ebbc890e1b3f2

Download Submit
memory/660-55-0x00007FFD22020000-0x00007FFD22AE1000-memory.dmp

Filesize
10.8MB

Download
memory/660-42-0x000001E8B2470000-0x000001E8B2480000-memory.dmp

Filesize
64KB

Download
memory/660-41-0x00007FFD22020000-0x00007FFD22AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-22-0x00000274F2010000-0x00000274F2032000-memory.dmp

Filesize
136KB

Download
memory/1644-38-0x00007FFD22020000-0x00007FFD22AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-34-0x00000274D9A00000-0x00000274D9A10000-memory.dmp

Filesize
64KB

Download
memory/1644-33-0x00000274D9A00000-0x00000274D9A10000-memory.dmp

Filesize
64KB

Download
memory/1644-32-0x00007FFD22020000-0x00007FFD22AE1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-10-0x00007FFD42370000-0x00007FFD42371000-memory.dmp

Filesize
4KB

Download