b2758aecc19fd55a13c86e9893c5184278c0394dcfaa1639d052d80e08ab5ceb

Analysis

max time kernel
127s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arctic-workspace.exe
Size

139.5MB
MD5

c9c7a67893d86bc9c8756d5cfe004e65
SHA1

c02f47a6085e7b358fde9e5b4c82416018f720c3
SHA256

eaa6705b9d9229e2e214c57f990d51fb4fa6b0e0f7ade9a08bc58c76811a6210
SHA512

9b682aa06cec332c5d2f16d47046dc00a344f283d1638ff05610d03439ea61b92e9eb7a011646f837c2b9e5962986143eb6551531f2ccdfa785cdf1f62b033d3
SSDEEP

786432:/14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:/14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3572	arctic-workspace.exe
3572	arctic-workspace.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
46	raw.githubusercontent.com
48	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ipinfo.io
26	ipinfo.io
28	ipinfo.io
31	ipinfo.io

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2704	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
436	WMIC.exe

Enumerates processes with tasklist 1 TTPs 21 IoCs

Process Discovery

T1057

pid	Process
3160	tasklist.exe
3736	tasklist.exe
3400	tasklist.exe
4480	tasklist.exe
3020	tasklist.exe
540	tasklist.exe
3800	tasklist.exe
3540	tasklist.exe
4892	tasklist.exe
1304	tasklist.exe
3468	tasklist.exe
1964	tasklist.exe
3644	tasklist.exe
4796	tasklist.exe
1404	tasklist.exe
4508	tasklist.exe
3428	tasklist.exe
4084	tasklist.exe
1316	tasklist.exe
3192	tasklist.exe
3968	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3572	arctic-workspace.exe
3572	arctic-workspace.exe
3572	arctic-workspace.exe
3572	arctic-workspace.exe
4456	arctic-workspace.exe
4456	arctic-workspace.exe
3808	powershell.exe
3808	powershell.exe
2256	powershell.exe
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeShutdownPrivilege	3572	arctic-workspace.exe
Token: SeCreatePagefilePrivilege	3572	arctic-workspace.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeDebugPrivilege	3160	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3500	WMIC.exe
Token: SeSecurityPrivilege	3500	WMIC.exe
Token: SeTakeOwnershipPrivilege	3500	WMIC.exe
Token: SeLoadDriverPrivilege	3500	WMIC.exe
Token: SeSystemProfilePrivilege	3500	WMIC.exe
Token: SeSystemtimePrivilege	3500	WMIC.exe
Token: SeProfSingleProcessPrivilege	3500	WMIC.exe
Token: SeIncBasePriorityPrivilege	3500	WMIC.exe
Token: SeCreatePagefilePrivilege	3500	WMIC.exe
Token: SeBackupPrivilege	3500	WMIC.exe
Token: SeRestorePrivilege	3500	WMIC.exe
Token: SeShutdownPrivilege	3500	WMIC.exe
Token: SeDebugPrivilege	3500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3500	WMIC.exe
Token: SeRemoteShutdownPrivilege	3500	WMIC.exe
Token: SeUndockPrivilege	3500	WMIC.exe
Token: SeManageVolumePrivilege	3500	WMIC.exe
Token: 33	3500	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 3016	3572	arctic-workspace.exe	87
PID 3572 wrote to memory of 3016	3572	arctic-workspace.exe	87
PID 3016 wrote to memory of 3020	3016	cmd.exe	89
PID 3016 wrote to memory of 3020	3016	cmd.exe	89
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 2108	3572	arctic-workspace.exe	90
PID 3572 wrote to memory of 4456	3572	arctic-workspace.exe	91
PID 3572 wrote to memory of 4456	3572	arctic-workspace.exe	91
PID 3572 wrote to memory of 2252	3572	arctic-workspace.exe	93
PID 3572 wrote to memory of 2252	3572	arctic-workspace.exe	93
PID 2252 wrote to memory of 1172	2252	cmd.exe	95
PID 2252 wrote to memory of 1172	2252	cmd.exe	95
PID 3572 wrote to memory of 1532	3572	arctic-workspace.exe	96
PID 3572 wrote to memory of 1532	3572	arctic-workspace.exe	96
PID 3572 wrote to memory of 720	3572	arctic-workspace.exe	97
PID 3572 wrote to memory of 720	3572	arctic-workspace.exe	97
PID 1532 wrote to memory of 3160	1532	cmd.exe	100
PID 1532 wrote to memory of 3160	1532	cmd.exe	100
PID 720 wrote to memory of 3784	720	cmd.exe	101
PID 720 wrote to memory of 3784	720	cmd.exe	101
PID 3784 wrote to memory of 4292	3784	net.exe	102
PID 3784 wrote to memory of 4292	3784	net.exe	102
PID 3572 wrote to memory of 3888	3572	arctic-workspace.exe	103
PID 3572 wrote to memory of 3888	3572	arctic-workspace.exe	103
PID 3572 wrote to memory of 2372	3572	arctic-workspace.exe	104
PID 3572 wrote to memory of 2372	3572	arctic-workspace.exe	104

C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
"C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
  "C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1324,7212929408406706591,9869618707481885929,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe
  "C:\Users\Admin\AppData\Local\Temp\arctic-workspace.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1960 --field-trial-handle=1324,7212929408406706591,9869618707481885929,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3572 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3572 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
  2⤵
  PID:3888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get size
    3⤵
    - Collects information from the system
    PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
  2⤵
  PID:2372
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3500
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
  2⤵
  PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:4852
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:4868
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:2752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:1328
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:5048
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:436
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:1572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4796
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3572 get ExecutablePath"
  2⤵
  PID:3116
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=3572 get ExecutablePath
    3⤵
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1136
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3132
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3408
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2340
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3472
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1084
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1428
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3312
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2320
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4140
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5084
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\7lxIk63NSXMt.vbs"
  2⤵
  PID:4756
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\7lxIk63NSXMt.vbs
    3⤵
    PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:4184
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
24cd57a8710ead89af77751cc4ce3236

SHA1
d66a76341ec9d1f53adc3caedfbc2a78e1055a30

SHA256
ca494d00a7aba63fc4cf7c49316bccee057616a26b917f9f12692b36b1f1dd91

SHA512
903577e4d3cd91d47dbd9f4f49c48236aef013c12ed36dc8a338c23845680b709af7e5272c21f036ea88c7b6ca10d090eb2cede1d836557d8ea37d071358223f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\12c8205e-5c91-4148-836f-647bb622861e.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufedx53l.23k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd539f2c-d23f-4a5f-a930-36d877093da2.tmp.node

Filesize
570KB

MD5
8d6741bd289ab38af551245aecfa5dc0

SHA1
092be70c04d3109d8fbd3b30d1dcddd500b8e2dc

SHA256
bd863862e7b46dfdcd79191130823aa4ac71555321d847154c6190671294e21d

SHA512
f6a53abebe5d3971549071ec7f2982c5b48f09a8df48bd8b1d2ad939d3ee468220a022f8c4088c504811ad7073e0712a9d951ee25893f05f999cbbc45faccdd9

Download Submit
C:\Users\Admin\AppData\Roaming\7lxIk63NSXMt.vbs

Filesize
178B

MD5
6a7d07c4edd5a056d5bf03553c06fccb

SHA1
386002f42c0cd5dedc5b60a4d23b07d364874980

SHA256
3db5a469984ee53dfbad74834e3ba62feab5e977543f515b3a17b08c3ef4de23

SHA512
ed6aef524bebbfddc075851325b81ecd947bf99a05a4931c7dac0f9ea374524d6fa3da25275194d6c6d57c9cc28d3f006afe92e9b8c076ae8e1ebbc890e1b3f2

Download Submit
memory/2108-64-0x000001D606010000-0x000001D6060DD000-memory.dmp

Filesize
820KB

Download
memory/2108-10-0x00007FFA52560000-0x00007FFA52561000-memory.dmp

Filesize
4KB

Download
memory/2256-43-0x000001DD29C00000-0x000001DD29C10000-memory.dmp

Filesize
64KB

Download
memory/2256-58-0x00007FFA334A0000-0x00007FFA33F61000-memory.dmp

Filesize
10.8MB

Download
memory/2256-55-0x000001DD29C00000-0x000001DD29C10000-memory.dmp

Filesize
64KB

Download
memory/2256-42-0x00007FFA334A0000-0x00007FFA33F61000-memory.dmp

Filesize
10.8MB

Download
memory/2256-44-0x000001DD29C00000-0x000001DD29C10000-memory.dmp

Filesize
64KB

Download
memory/3808-27-0x00000280E9590000-0x00000280E95B2000-memory.dmp

Filesize
136KB

Download
memory/3808-39-0x00007FFA33540000-0x00007FFA34001000-memory.dmp

Filesize
10.8MB

Download
memory/3808-33-0x00000280D1100000-0x00000280D1110000-memory.dmp

Filesize
64KB

Download
memory/3808-35-0x00000280D1100000-0x00000280D1110000-memory.dmp

Filesize
64KB

Download
memory/3808-34-0x00000280D1100000-0x00000280D1110000-memory.dmp

Filesize
64KB

Download
memory/3808-32-0x00007FFA33540000-0x00007FFA34001000-memory.dmp

Filesize
10.8MB

Download