55309a4905c0c074bb9b488a58314dc58d89dea1a8f6963a367c3a62110592c6

Analysis

max time kernel
15s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OGFnPatcher.exe
Size

177.3MB
MD5

82db6baf5501b11cf7582d68cb173689
SHA1

ff40fcae2ecfb00eb3f1a36521afbdc93db1e6e6
SHA256

17f48d532943a1160b9c171e183599d28b3a03b4943df8d1b5f8af2aaed142fc
SHA512

9d47fc31fec0379b7ec6461401e5cda54f7b64d6ff0a30136e5ad58bb94446cfa6f1e511380eb5bf99f59174e56fdc7a7cd06cf7cf46898c672bf37c36ec4d82
SSDEEP

1572864:s+vbimZ3RqPfrrW/GDt+wy2tXgJdtEaxMz6lMp1rJ/Gk/QeF/anRq9A4CGdhVnau:sA5kyGScXQT

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OGFnPatcher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	OGFnPatcher.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32Kernal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGFnPatcher.exe -silent"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
47	discord.com
17	raw.githubusercontent.com
19	raw.githubusercontent.com
21	raw.githubusercontent.com
25	raw.githubusercontent.com
14	raw.githubusercontent.com
22	raw.githubusercontent.com
16	raw.githubusercontent.com
50	discord.com
18	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ipinfo.io
34 ipinfo.io
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

Processes:

cmd.execmd.exe

pid process

3292 cmd.exe
2396 cmd.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

1640 tasklist.exe
3164 tasklist.exe
556 tasklist.exe

flow	ioc
35	ipinfo.io
34	ipinfo.io

pid	process
3292	cmd.exe
2396	cmd.exe

pid	process
1640	tasklist.exe
3164	tasklist.exe
556	tasklist.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OGFnPatcher.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	OGFnPatcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OGFnPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OGFnPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OGFnPatcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	OGFnPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	OGFnPatcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	OGFnPatcher.exe

Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

4072 WMIC.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4016 WMIC.exe

pid	process
4072	WMIC.exe

pid	process
4016	WMIC.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3392	powershell.exe
3392	powershell.exe
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
3392	powershell.exe
2376	powershell.exe
2376	powershell.exe
1356	powershell.exe
1356	powershell.exe
4244	powershell.exe
4244	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

OGFnPatcher.exeWMIC.exetasklist.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	4656	OGFnPatcher.exe
Token: SeCreatePagefilePrivilege	4656	OGFnPatcher.exe
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe
Token: 36	4016	WMIC.exe
Token: SeDebugPrivilege	1640	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4020	WMIC.exe
Token: SeSecurityPrivilege	4020	WMIC.exe
Token: SeTakeOwnershipPrivilege	4020	WMIC.exe
Token: SeLoadDriverPrivilege	4020	WMIC.exe
Token: SeSystemProfilePrivilege	4020	WMIC.exe
Token: SeSystemtimePrivilege	4020	WMIC.exe
Token: SeProfSingleProcessPrivilege	4020	WMIC.exe
Token: SeIncBasePriorityPrivilege	4020	WMIC.exe
Token: SeCreatePagefilePrivilege	4020	WMIC.exe
Token: SeBackupPrivilege	4020	WMIC.exe
Token: SeRestorePrivilege	4020	WMIC.exe
Token: SeShutdownPrivilege	4020	WMIC.exe
Token: SeDebugPrivilege	4020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4020	WMIC.exe
Token: SeRemoteShutdownPrivilege	4020	WMIC.exe
Token: SeUndockPrivilege	4020	WMIC.exe
Token: SeManageVolumePrivilege	4020	WMIC.exe
Token: 33	4020	WMIC.exe
Token: 34	4020	WMIC.exe
Token: 35	4020	WMIC.exe
Token: 36	4020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3004	WMIC.exe
Token: SeSecurityPrivilege	3004	WMIC.exe
Token: SeTakeOwnershipPrivilege	3004	WMIC.exe
Token: SeLoadDriverPrivilege	3004	WMIC.exe
Token: SeSystemProfilePrivilege	3004	WMIC.exe
Token: SeSystemtimePrivilege	3004	WMIC.exe
Token: SeProfSingleProcessPrivilege	3004	WMIC.exe
Token: SeIncBasePriorityPrivilege	3004	WMIC.exe
Token: SeCreatePagefilePrivilege	3004	WMIC.exe
Token: SeBackupPrivilege	3004	WMIC.exe
Token: SeRestorePrivilege	3004	WMIC.exe
Token: SeShutdownPrivilege	3004	WMIC.exe
Token: SeDebugPrivilege	3004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3004	WMIC.exe
Token: SeRemoteShutdownPrivilege	3004	WMIC.exe
Token: SeUndockPrivilege	3004	WMIC.exe
Token: SeManageVolumePrivilege	3004	WMIC.exe
Token: 33	3004	WMIC.exe
Token: 34	3004	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OGFnPatcher.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4656 wrote to memory of 3804	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 3804	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 2544	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 2544	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 2700	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 2700	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 4412	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 4412	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 992	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 992	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 2256	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 2256	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 4400	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 4400	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 1164	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 1164	4656	OGFnPatcher.exe	cmd.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 4848	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 2160	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 4656 wrote to memory of 2160	4656	OGFnPatcher.exe	OGFnPatcher.exe
PID 1164 wrote to memory of 3392	1164	cmd.exe	powershell.exe
PID 1164 wrote to memory of 3392	1164	cmd.exe	powershell.exe
PID 3804 wrote to memory of 1640	3804	cmd.exe	tasklist.exe
PID 3804 wrote to memory of 1640	3804	cmd.exe	tasklist.exe
PID 2256 wrote to memory of 4016	2256	cmd.exe	WMIC.exe
PID 2256 wrote to memory of 4016	2256	cmd.exe	WMIC.exe
PID 2256 wrote to memory of 412	2256	cmd.exe	more.com
PID 2256 wrote to memory of 412	2256	cmd.exe	more.com
PID 2700 wrote to memory of 3004	2700	cmd.exe	WMIC.exe
PID 2700 wrote to memory of 3004	2700	cmd.exe	WMIC.exe
PID 4412 wrote to memory of 4020	4412	cmd.exe	WMIC.exe
PID 4412 wrote to memory of 4020	4412	cmd.exe	WMIC.exe
PID 4412 wrote to memory of 396	4412	cmd.exe	more.com
PID 4412 wrote to memory of 396	4412	cmd.exe	more.com
PID 2544 wrote to memory of 4072	2544	cmd.exe	WMIC.exe
PID 2544 wrote to memory of 4072	2544	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
"C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get size
    3⤵
    - Collects information from the system
    PID:4072
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:992
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:1512
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:4400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3392
- C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
  "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2164,i,18297237727506741373,6579222190254675685,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
  "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --field-trial-handle=2396,i,18297237727506741373,6579222190254675685,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  PID:2160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4656 get ExecutablePath"
  2⤵
  PID:5040
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=4656 get ExecutablePath
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v System32Kernal /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe -silent" /f"
  2⤵
  PID:624
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v System32Kernal /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe -silent" /f
    3⤵
    - Adds Run key to start application
    PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:4480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3756
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3332
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,61,28,111,48,103,192,200,74,187,56,57,175,169,46,187,15,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,8,218,122,81,177,48,95,253,108,218,130,13,112,190,161,148,54,196,50,90,193,158,228,91,46,204,167,254,123,58,18,139,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,140,72,70,183,16,203,205,43,205,4,153,236,226,150,108,139,243,20,224,114,19,84,193,11,208,124,197,196,61,82,169,48,0,0,0,8,76,156,179,198,169,195,116,34,32,0,17,1,81,169,82,33,38,0,5,199,59,97,116,172,20,214,91,152,86,96,192,206,198,241,87,169,221,33,132,89,174,201,177,80,202,153,147,64,0,0,0,200,138,112,152,245,240,101,248,210,103,126,78,189,177,23,119,125,33,62,133,57,50,6,248,115,241,146,151,179,22,122,131,2,173,67,64,232,52,160,148,232,154,228,4,97,45,41,113,104,139,91,33,174,101,33,130,65,111,46,244,195,39,204,194), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,61,28,111,48,103,192,200,74,187,56,57,175,169,46,187,15,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,8,218,122,81,177,48,95,253,108,218,130,13,112,190,161,148,54,196,50,90,193,158,228,91,46,204,167,254,123,58,18,139,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,214,140,72,70,183,16,203,205,43,205,4,153,236,226,150,108,139,243,20,224,114,19,84,193,11,208,124,197,196,61,82,169,48,0,0,0,8,76,156,179,198,169,195,116,34,32,0,17,1,81,169,82,33,38,0,5,199,59,97,116,172,20,214,91,152,86,96,192,206,198,241,87,169,221,33,132,89,174,201,177,80,202,153,147,64,0,0,0,200,138,112,152,245,240,101,248,210,103,126,78,189,177,23,119,125,33,62,133,57,50,6,248,115,241,146,151,179,22,122,131,2,173,67,64,232,52,160,148,232,154,228,4,97,45,41,113,104,139,91,33,174,101,33,130,65,111,46,244,195,39,204,194), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,61,28,111,48,103,192,200,74,187,56,57,175,169,46,187,15,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,238,63,56,178,84,215,241,50,61,115,82,189,250,9,179,193,174,149,201,41,220,105,177,218,111,248,219,168,251,253,6,188,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,74,8,180,93,245,211,233,165,172,19,163,246,211,124,16,77,128,48,82,58,147,46,86,77,223,94,248,135,75,189,61,151,48,0,0,0,181,126,119,173,128,7,117,236,213,252,235,135,151,21,211,212,201,2,198,111,34,158,77,255,138,215,5,253,21,236,215,197,198,97,129,185,186,164,130,224,244,196,37,201,251,223,227,130,64,0,0,0,153,155,48,141,191,30,157,98,119,41,61,136,71,244,170,5,192,8,110,66,25,94,147,83,9,255,165,89,19,229,5,163,74,107,229,22,98,234,25,252,28,149,21,92,182,34,5,60,227,16,101,127,244,133,13,170,164,67,61,77,250,19,45,204), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:2396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,61,28,111,48,103,192,200,74,187,56,57,175,169,46,187,15,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,238,63,56,178,84,215,241,50,61,115,82,189,250,9,179,193,174,149,201,41,220,105,177,218,111,248,219,168,251,253,6,188,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,74,8,180,93,245,211,233,165,172,19,163,246,211,124,16,77,128,48,82,58,147,46,86,77,223,94,248,135,75,189,61,151,48,0,0,0,181,126,119,173,128,7,117,236,213,252,235,135,151,21,211,212,201,2,198,111,34,158,77,255,138,215,5,253,21,236,215,197,198,97,129,185,186,164,130,224,244,196,37,201,251,223,227,130,64,0,0,0,153,155,48,141,191,30,157,98,119,41,61,136,71,244,170,5,192,8,110,66,25,94,147,83,9,255,165,89,19,229,5,163,74,107,229,22,98,234,25,252,28,149,21,92,182,34,5,60,227,16,101,127,244,133,13,170,164,67,61,77,250,19,45,204), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Browsers\Passwords.txt

Filesize
19B

MD5
c4efd9a7b61ebf43b608440be5e33369

SHA1
926418256c277f1b11b575ec6e92ce6a844612f7

SHA256
ed4280859199da5a8f25c0c6d533d0873460ac63368c14a69bbd863ea4bfb30f

SHA512
9ea97363868d61d3d51bd3804d638b71ba8dc65260800b3a54051b4725cf08e9d9880a12422a549d94a339c7267e858a7ff5ca9428d64051657134b5c6c20745

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\AddShow.rtf

Filesize
882KB

MD5
e84d72b1a96e198dd782f77e945b2a0d

SHA1
032c622617776d2c2ca16b6dba53bb10e18e7ff0

SHA256
b5d714f91aa1bfb341005ba16b466896a049063fb3831e40ee79ae266e05b9f0

SHA512
324a74e10006fbb89597f361d3135131731920a7bc650f56a22d20d4f4a9c68be6ebfc819bcf5ca4735d60b0e460ee284c87e3e93f46750378606844ed464564

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\CloseResume.docx

Filesize
359KB

MD5
108a0c23ae2610f7de41fc20ee43ba5e

SHA1
d5743182cdee00c29787a408d68e8f94364124e0

SHA256
bc50a9acaab8feae9d4c4f66c9fe96274406329705d0fbabfd240b22282a1f2f

SHA512
0992bfe71fbd9d92dc31e72dc4f094777fdd214f461e696a726d936855cd37cccd356e41d3f23c0cc9e7869bc3d13fb804984bda967650d65f46f194713203ca

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\ConfirmMove.rtf

Filesize
647KB

MD5
b15fbb61d5caddd5eda78443c2bf5bb4

SHA1
725ded89d59652ab81e4ab45aa9195cdc08db925

SHA256
216895ebcb850e0c24243df98678f1f8e9a4d8e9dae5b6c5883600910291f528

SHA512
9e1ff4496e7d0a4e89c633aaffd40d8b85fcaa13b7edc62cb4b0d1917984ddbd20b531cf335deab0e8f77d26452da2c4b2497f2b3f6e6deff80ff71c3d63e8c7

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\ConvertFromPush.txt

Filesize
1.0MB

MD5
098495e1606267e72808fdcc6ab98c33

SHA1
e3704189a6b056e32e3ab7d11e0cd9c926459c2e

SHA256
9ae0b982b756c015880c1ac75df4bcd1bd9b0bb06a2f4af129ee991850dcb833

SHA512
adb0bc9ce5e644fef31c1885184715cdc36c9d4d4e77fcf4b5ecff93daace1e1ae81fd263d32167df923c15f5804f6da7a913f860397696dcfbc403de531cd22

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\DebugSync.docx

Filesize
14KB

MD5
7370c075b16ba5c8b627faa1e4d05c9c

SHA1
0097ec3d55d346d83f50161674ddfd915ff63ae7

SHA256
9f899a9e5e0648206a640f490eb6bd92e45b2b9abbad7ee7b54bcc00586222af

SHA512
c29f1a0e7420b8e3ca0aa5207d798c73fee036b5d790ae7355c8c0512a62119c7fb26513dc554a24bcb705ba15a43e4b2357969f038d115c65e9224315d40f5a

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\NewPush.rtf

Filesize
632KB

MD5
310ac4cb846178f0651d6977191cd8c3

SHA1
c80251533c65cc0297f81a28f6e3bf5563dafec2

SHA256
a3a10431f91be6c3d580539fc6b37bf8824ea5c75c78785890ddba3d194968aa

SHA512
f85d4bb8294de146ec4cbbf8c99a0da1cfde751e44819745aded0a55c68a11e72bb0746c761ad1a4b32d6eb6d69ee75af84573dca4711d9cb4eb06ad23e62ca8

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\RepairRequest.docx

Filesize
18KB

MD5
68975b4e97ee03190d5cc12f6796e690

SHA1
271f27f2f8a514cd4a0010da2143785bd2202b6d

SHA256
450424312f34c1e4ffc8df4932e9c128a7290d49460989a95a0310baf8a185c1

SHA512
3cfa2c4092eaea7720584e55eead78a64f4868a78b59e3e2475ffd9cec5757414b82bf9d18ad55542b08a592f5e0c314a6b7a735112ec6a019afa830ae01c4fb

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\RestoreRepair.odt

Filesize
615KB

MD5
a1a5b148b467e697ee27430b6c288753

SHA1
fff8ae42f68706eedd47db9d568ba755febd8d33

SHA256
093ba9fb56e33300a54842be003a99db35c3f6a4eda8f17216e5969acd9b6a8a

SHA512
b69a449e49b96556ec89a2ef3ee248da38aade558562bba937d4c745aa0eefce7b35a7e270a87b7b151bc984c1a28a8644f51df703bc0480fed613aba651a9c9

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\SelectWait.txt

Filesize
554KB

MD5
9d2ead013ae2b5e9b76481085f2ab9ea

SHA1
4f1618d862acfbbf688ccb1dd03277dd8afd5678

SHA256
15f5c0d7497fd7545dff902ab2aa158895ddef58408e855a05bc29c5bf61012c

SHA512
14632aed67733b13cebc0952544cb94594f9fa7aa22c53942c1d1b7df6ddf1eec4505f1eb8c8f2ec48b7df60a137517d61edc585ffc5bbee22d8bb47f654104b

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\SendUse.pdf

Filesize
543KB

MD5
3a4325c5e18f5cbca88e387877866d8f

SHA1
145abea478f8b594aa7a7bd8f29f85315db6fe5f

SHA256
65c1533cd2e534edea5333ceba3201476840f6b57c7bd60fced6ee8daaddf8ac

SHA512
4da6cefe99672bece73b1bc3cd483f1f9d9858bdbc38668b7694322d8695301495a6cfa7a6ae32c029cba2c0d6f968e3700844703080df0af4db359988a48c3f

Download Submit
C:\ProgramData\b6c1a0bb1fa9c8648d364e7539568be0\Files\TestAdd.docx

Filesize
14KB

MD5
f163f23e430fc92cfee908262b37075b

SHA1
577f32129e1500151df82f9aada3e35dabeb87e3

SHA256
6442e6bfd439e6430cd93961482af06a76823dff86d215fc582d084b8f26e60c

SHA512
b1784082b2c18b3bfcb190cef9dc88992eadc6d2fd8670797855f7598300a29b891baddd3b65bf5b38f8fddaadf2a72b1b6689e2a6293f779ca2a1032d341633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e26941f21dac5843c6d170e536afccb

SHA1
26b9ebd7bf3ed13bc51874ba06151850a0dac7db

SHA256
316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0

SHA512
9148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agxm1j5k.x0w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1356-64-0x00000221F8D80000-0x00000221F8DD0000-memory.dmp

Filesize
320KB

Download
memory/2264-13-0x000001C6AAC60000-0x000001C6AAC82000-memory.dmp

Filesize
136KB

Download