Analysis
-
max time kernel
68s -
max time network
68s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
28/03/2025, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
loader.exe
Resource
win10ltsc2021-20250314-en
General
-
Target
loader.exe
-
Size
363KB
-
MD5
1b0b97cb1346c496b8368b3e9622d8fd
-
SHA1
ebe3c3f59f26d341933317dec9ed00b041c90d04
-
SHA256
32ea7d3ceea4b73b2a98ef55aebc41581fdfad995fe9d9cc2411dedc1806f28a
-
SHA512
05a4933ed5c5f965058c03ff00828e7bafc71966804955d7962bc6cb8ebab96a1c8f435b9157da3c2a8aa8549b0807d902820831a7ca1108f6491fa6919fe22e
-
SSDEEP
6144:a5kgvH9LLVEbIALguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOksWb:s9Lh9qKLBwiZlzMB9xgndcP88DvvP
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5232 created 628 5232 y0eystlw.kme.exe 5 -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation loader.exe Key value queried \REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation y0eystlw.kme.exe -
Executes dropped EXE 1 IoCs
pid Process 5232 y0eystlw.kme.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\D: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\N: svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to get system information.
pid Process 5756 powershell.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5232 set thread context of 3784 5232 y0eystlw.kme.exe 83 -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414} mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a83f114a8ca28f4c93bfff7b95686ed8000000000200000000001066000000010000200000001f767ddb476011a4ea9fe9ade8f3120b6902ff8e47f64d9444a8f361a9518f6f000000000e8000000002000020000000ade0c58ca23bfb6ab92c800f0b0be808f171cb6a4ca2e26547b7b3e3d072388c10060000df4bb0f233584eae1af3b9f5de5b2bb2f6c5aa75c9ccace40fd6e30c198b6cbdb4f80cd6d8c645c8138f02b24857304498f7d748933899c748fbed4151dbcb4aff87653b5ce4364c136731f7711b9cf4fe1ad5cf298c5453a11857e0fc7626d2d8022fc88bcf4a883d4649f81c291d22fea36d2a31c20982572a07da45fca01a38933481183c7f7a3ab363ebb501ef448eafdac8ba44e0d2313d61510e133cf4fb328c945a912d207c127618e7da515b13cf06b357eca9f8f1eb5ddb09afe485542eacd48e4c79952ba0a2e2378265fa1353f5ee780faff215f3fac570bc5c0a51fdaf9521b2ef19e5b2f118f448515220340860f2b4e609ddaad0d100423f9a4cf541488eb43ed5f9a01cfdf1ea44ff80fb36a99ccc3bbbca1716c4979f22e40b11043e553c48c32a4c1e964ee67e5c4e78f9055c021afd96ad6711874cb03b1d39afac53748b72858d10177dadc166733789f98070f7e4673a9102fd3d060574469db20bc640909f2eda47c23c72f1c022affc9ec5acdfdf48e75134ba638d55b91320eab723d075055724646712ec63dcf1a53b8c0f0fef7f1604de880796f7cbc3aba1253e0a1def049151fab18ce4775867e0b45c71dca8b17a3c48cb37368ec4f1d9f12881c03c2c91f8862e5b978e103040f2bde0293e74f61cf3f15ef9d0ce8f82bd8dd593a9cf26f50293b0211abae7564b5c900c3ec696a07ee37c6aa23113e1ee50153d42bcd1fbec6d410b8c9c54a011b71bf0966b609b579283b365f820afe95eaa42106739967e0335e8003989607abe3c339a0b16909d8f0c4b15b9e73804444a272346da5de86d0524d4e6d12ef2595c92bfd46456f3bb54d85c41480032e2f56c89d32b5fbf6e7910c11128ee924807fdf14d349c466e0f53d85325c7d336488aa2b5379761e818d3bc07ad6ca8dd932f80675a7f5d20c529790edab778926153fcf3a3fd0ed362df47d1bf11978583edcfa97ee2fac59525cfb5df9773cc8fbab2466c502f982e0230a025596d1ae51da06a177c6b73e2bae2bc5a783ef628ae349dbb67764d2891f10e7cd42e0794b16e0f3d7a7d34cd60bcc57c3eb7114e7429b8308b463200712c0f9bc8137d61e3d78ce74702f1db14dde4f4e4387cca885d90fbb4c21288fa53c622a23c6d6bad2e1e8d980ef87a713c5ebbfd76885f3a3858ee48c4fb02ac741576166427b787431e0c11b77ac75fbf5fe646dd25ac0e313f76bce8eda0e0667e0fafc3a4874bc70354b2f2f1c300453c73cb3e57a0fb1842233f98ebdb82e77a2bf773696dfe110161c0875b38e920b37329626b237916a1d049cf123e4eabf2a2302eb517015ae56bd36f5f4ef783b3d783c97cd9a5b88d646895a00b7acda753cdca80ac80aecb581e95d0fa240c3e6c66f5601ab4995f0657d82945838545e0d05777f117d57b873daff220abb5352b5550d55a4dbddd2a1edba2cbc0e9970c06c7ad74380770c206156617eebfa4fa07cc12fdb55ad344465f2d2bb35718a339a6a72104caafcb7ca470ed2cd3b3f2b67122e885aa2252f6496384748903d585b7ee705a9a3d51c64eb4142623106af229ca04bc6a07251d4f710afc2b75fa4b2399f19b8811698f65b069f3c568b3246515fb0cdf604d24f1a955f0b4cd0e4793ea1803af57b01e784e2e2edc0265570f2cede00deea36194d98e4dfb3d36bf3766b4728fd5ae3adcb5dd57d3532aeb64bb8d8a4bb54f25decee12ed2f01521d3009f712a8a1ec43df82fbaa3e53088b9e2065f0a087c1a7d1371059b50179b23175a063e7892e187f2f0914a1198c837c87799c96c42acd16f760c07c28e50f0b83842729fea448ee42d72eae9c74acdf0b984d115efe3a60d9c438269305e5748847968b8a5af3653447dfa3af4399eb13aadc6c23ec792d16a4f3366fb70385e8dae242b138ba2beb1ecc8ac1fd1459a4a364145d129b50022feec3e5e8f3d9a8e61d2535258139fd6878f4bb3717160b8dc6e8069c38564a400e5002c268d003f562f1adceb8cf0cf0f386cd0f9420303bc7d71ef50355ea752bc7b3ad79963ecf0b90a546b3624e0f9b441ae4cb1129cea0f5cb6775638b2953539bd340874ca2b27509cb17441ee00d1982b7fa8196723436c57950e582a6f0de7e62156c3fba47fe0378c36e406e81aa1b310b2461502b65a4f7c2f9bf8400000008b9fbbd19b01371847bc585d4b76e7e61d92b7ae8a9be28511422b1c3fbe29c720d552e908458dc62d614802158d7087542a1cbbe9d8279a5dab8015107f45f0 mousocoreworker.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00180013CFF2160E" mousocoreworker.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00180013CFF2160E" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00180013CFF2160E = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000a83f114a8ca28f4c93bfff7b95686ed8000000000200000000001066000000010000200000002ce6337be8c29bfd01b5a83bc39c0efefd372568724ce553f2a8a6ab798ef6fb000000000e80000000020000200000003622b77d6e21257bab2f09eac7e55caed7bf8387c427137fa760bc967743defa80000000aa69433be5e7a5d541e2fec5cfbbaf57a65d9a90e4e3f697b480920d1bdc5e330a7fd6fa8b3bafd2dfc2c8fd3cb3576f8b74140ab0b5507d71b451e3c1091143a53ff33100690a5c842afdf6c9b47dda58af6ef514347e5f7d3956076c26402d2a56b691a10a280c835c71cedc9a51194239b78e9f74bc8e6ee4c109e21c2c9e400000002d41c46612fca0e1c89bc17ab9da246b3b00d0c8a9caa65a84ed4118808df66bdfe51dd655b0da774e2a3775f562219d15019e525f7bf5c53334944020e3ef2e mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings calc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5844 SCHTASKS.exe 5936 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5232 y0eystlw.kme.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 5756 powershell.exe 5756 powershell.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 5756 powershell.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 5640 powershell.exe 3784 dllhost.exe 3784 dllhost.exe 5640 powershell.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 640 powershell.exe 640 powershell.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 1432 powershell.exe 3784 dllhost.exe 3784 dllhost.exe 1432 powershell.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe 3784 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3644 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5232 y0eystlw.kme.exe Token: SeDebugPrivilege 5232 y0eystlw.kme.exe Token: SeDebugPrivilege 3784 dllhost.exe Token: SeDebugPrivilege 5756 powershell.exe Token: SeIncreaseQuotaPrivilege 5756 powershell.exe Token: SeSecurityPrivilege 5756 powershell.exe Token: SeTakeOwnershipPrivilege 5756 powershell.exe Token: SeLoadDriverPrivilege 5756 powershell.exe Token: SeSystemProfilePrivilege 5756 powershell.exe Token: SeSystemtimePrivilege 5756 powershell.exe Token: SeProfSingleProcessPrivilege 5756 powershell.exe Token: SeIncBasePriorityPrivilege 5756 powershell.exe Token: SeCreatePagefilePrivilege 5756 powershell.exe Token: SeBackupPrivilege 5756 powershell.exe Token: SeRestorePrivilege 5756 powershell.exe Token: SeShutdownPrivilege 5756 powershell.exe Token: SeDebugPrivilege 5756 powershell.exe Token: SeSystemEnvironmentPrivilege 5756 powershell.exe Token: SeRemoteShutdownPrivilege 5756 powershell.exe Token: SeUndockPrivilege 5756 powershell.exe Token: SeManageVolumePrivilege 5756 powershell.exe Token: 33 5756 powershell.exe Token: 34 5756 powershell.exe Token: 35 5756 powershell.exe Token: 36 5756 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2236 svchost.exe Token: SeIncreaseQuotaPrivilege 2236 svchost.exe Token: SeSecurityPrivilege 2236 svchost.exe Token: SeTakeOwnershipPrivilege 2236 svchost.exe Token: SeLoadDriverPrivilege 2236 svchost.exe Token: SeSystemtimePrivilege 2236 svchost.exe Token: SeBackupPrivilege 2236 svchost.exe Token: SeRestorePrivilege 2236 svchost.exe Token: SeShutdownPrivilege 2236 svchost.exe Token: SeSystemEnvironmentPrivilege 2236 svchost.exe Token: SeUndockPrivilege 2236 svchost.exe Token: SeManageVolumePrivilege 2236 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2236 svchost.exe Token: SeIncreaseQuotaPrivilege 2236 svchost.exe Token: SeSecurityPrivilege 2236 svchost.exe Token: SeTakeOwnershipPrivilege 2236 svchost.exe Token: SeLoadDriverPrivilege 2236 svchost.exe Token: SeSystemtimePrivilege 2236 svchost.exe Token: SeBackupPrivilege 2236 svchost.exe Token: SeRestorePrivilege 2236 svchost.exe Token: SeShutdownPrivilege 2236 svchost.exe Token: SeSystemEnvironmentPrivilege 2236 svchost.exe Token: SeUndockPrivilege 2236 svchost.exe Token: SeManageVolumePrivilege 2236 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2236 svchost.exe Token: SeIncreaseQuotaPrivilege 2236 svchost.exe Token: SeSecurityPrivilege 2236 svchost.exe Token: SeTakeOwnershipPrivilege 2236 svchost.exe Token: SeLoadDriverPrivilege 2236 svchost.exe Token: SeSystemtimePrivilege 2236 svchost.exe Token: SeBackupPrivilege 2236 svchost.exe Token: SeRestorePrivilege 2236 svchost.exe Token: SeShutdownPrivilege 2236 svchost.exe Token: SeSystemEnvironmentPrivilege 2236 svchost.exe Token: SeUndockPrivilege 2236 svchost.exe Token: SeManageVolumePrivilege 2236 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2236 svchost.exe Token: SeIncreaseQuotaPrivilege 2236 svchost.exe Token: SeSecurityPrivilege 2236 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5332 wrote to memory of 5232 5332 loader.exe 82 PID 5332 wrote to memory of 5232 5332 loader.exe 82 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 3784 5232 y0eystlw.kme.exe 83 PID 5232 wrote to memory of 5844 5232 y0eystlw.kme.exe 84 PID 5232 wrote to memory of 5844 5232 y0eystlw.kme.exe 84 PID 5232 wrote to memory of 5936 5232 y0eystlw.kme.exe 85 PID 5232 wrote to memory of 5936 5232 y0eystlw.kme.exe 85 PID 5232 wrote to memory of 5756 5232 y0eystlw.kme.exe 86 PID 5232 wrote to memory of 5756 5232 y0eystlw.kme.exe 86 PID 3784 wrote to memory of 628 3784 dllhost.exe 5 PID 3784 wrote to memory of 680 3784 dllhost.exe 7 PID 3784 wrote to memory of 964 3784 dllhost.exe 12 PID 3784 wrote to memory of 476 3784 dllhost.exe 13 PID 3784 wrote to memory of 520 3784 dllhost.exe 14 PID 3784 wrote to memory of 700 3784 dllhost.exe 15 PID 3784 wrote to memory of 1048 3784 dllhost.exe 16 PID 3784 wrote to memory of 1072 3784 dllhost.exe 17 PID 3784 wrote to memory of 1124 3784 dllhost.exe 18 PID 3784 wrote to memory of 1232 3784 dllhost.exe 19 PID 3784 wrote to memory of 1324 3784 dllhost.exe 21 PID 3784 wrote to memory of 1336 3784 dllhost.exe 22 PID 3784 wrote to memory of 1352 3784 dllhost.exe 23 PID 3784 wrote to memory of 1364 3784 dllhost.exe 24 PID 3784 wrote to memory of 1388 3784 dllhost.exe 25 PID 3784 wrote to memory of 1576 3784 dllhost.exe 26 PID 3784 wrote to memory of 1584 3784 dllhost.exe 27 PID 3784 wrote to memory of 1600 3784 dllhost.exe 28 PID 3784 wrote to memory of 1624 3784 dllhost.exe 29 PID 3784 wrote to memory of 1748 3784 dllhost.exe 30 PID 3784 wrote to memory of 1816 3784 dllhost.exe 31 PID 3784 wrote to memory of 1864 3784 dllhost.exe 32 PID 3784 wrote to memory of 1928 3784 dllhost.exe 33 PID 3784 wrote to memory of 1940 3784 dllhost.exe 34 PID 3784 wrote to memory of 1952 3784 dllhost.exe 35 PID 3784 wrote to memory of 2036 3784 dllhost.exe 36 PID 3784 wrote to memory of 1216 3784 dllhost.exe 37 PID 3784 wrote to memory of 2168 3784 dllhost.exe 38 PID 3784 wrote to memory of 2236 3784 dllhost.exe 39 PID 3784 wrote to memory of 2364 3784 dllhost.exe 41 PID 3784 wrote to memory of 2392 3784 dllhost.exe 42 PID 3784 wrote to memory of 2696 3784 dllhost.exe 44 PID 3784 wrote to memory of 2704 3784 dllhost.exe 45 PID 3784 wrote to memory of 2748 3784 dllhost.exe 46 PID 3784 wrote to memory of 2804 3784 dllhost.exe 47 PID 3784 wrote to memory of 2860 3784 dllhost.exe 48 PID 3784 wrote to memory of 2880 3784 dllhost.exe 49 PID 3784 wrote to memory of 2928 3784 dllhost.exe 50 PID 3784 wrote to memory of 2968 3784 dllhost.exe 51 PID 3784 wrote to memory of 2980 3784 dllhost.exe 52 PID 3784 wrote to memory of 2876 3784 dllhost.exe 53 PID 3784 wrote to memory of 3084 3784 dllhost.exe 54 PID 3784 wrote to memory of 3184 3784 dllhost.exe 55 PID 3784 wrote to memory of 3560 3784 dllhost.exe 56 PID 3784 wrote to memory of 3644 3784 dllhost.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:628
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1072
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{132e42e1-a78c-44f2-b4b4-67b4aa27e573}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:476
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1124
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2876
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1336
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1576
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2748
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1624
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1816
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1216
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2364
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
PID:2880
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2928
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3084
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3560
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5332 -
C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe"C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5232 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77y0eystlw.kme.exe" /tr "'C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5844 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4200
-
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77y0eystlw.kme.exe" /tr "'C:\Users\Admin\AppData\Roaming\y0eystlw.kme.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5756 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:872
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_BIOS | Select-Object -ExpandProperty SMBIOSBIOSVersion4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5640 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1520
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_PhysicalMemory | Select-Object -ExpandProperty Speed4⤵
- Suspicious behavior: EnumeratesProcesses
PID:640 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5900
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-WmiObject Win32_VideoController | Select-Object -ExpandProperty Name4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1432 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:856
-
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"4⤵
- Modifies registry class
PID:1084 -
C:\Windows\System32\win32calc.exe"C:\Windows\System32\win32calc.exe"5⤵PID:5800
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3772
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3752
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:1104
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:5356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:5192
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4460
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:768
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1068
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2200
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵PID:5888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2108
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
PID:1860
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e9f32a8db49decb1b23c3c6ac620b838 O1AtRC8hVUKd4lOLc+39zQ.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:2276 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:4520
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4824
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1208
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1Clear Windows Event Logs
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD54817c9686cc0f425997b300cafbbd2cd
SHA1cbe91fb33b7a07fc278071b68c952092dcec5a11
SHA25611abbd39c37e78163bb159315d2771342b9f4761c117dde4d950691279e4fa9e
SHA5122e6c025fe434d7424a83a99595884e545e7adaac06285c88ef172bd61f09f0f31521102911416b51ab9ee9b01f0e42df1d596aaba67ff67714804acc8c9d2aab
-
Filesize
1KB
MD5e6aa8d40bc3b76791cc23f95f479ebcf
SHA10e4fc1b4461cf7b85468b9e939b4521b95fd415f
SHA2566333450ce03637be9a1bcd2530d65264b31cfe1aa2bdfa56452dd35c791d01f7
SHA512f7a411e2c34c5c7ab94f2640453899c603576f93dbb2c784c01e49cf349983be290d2969e2729779a6c9933a9862124f82648ea27e17df84146d67e361c8b739
-
Filesize
1KB
MD5519d02abbf7968abed3ce0345112697b
SHA1884c79e03a75605800671980d61dff850adf877a
SHA256797de7b7f3a7880fb4eafa2ef7c8d5187320abdf4e34715889b8e6b94d300ea5
SHA51266735134580456b23b03fbcbeb291e99f61b8d3c5210f4754fcce2ef2a275b4fa3a0db47862e8be21b189bd0a1c9077b2811f56683b392f3fb4717fc7cc0e822
-
Filesize
1KB
MD5aaf86888dd37dee35083b84ec0420fc9
SHA1b966a9d6918ffb34e1f4b1a347dd5114c1ed2f60
SHA256b2762684035a591107bd3f42e3824c983e15cb980a1e000480cfe965e2563987
SHA512cf735a392c33c22d1fdcd7215fe4fed85dce708560aa4f99f1efa99b68eaf953438c39b01126551519c1788131032b86de5f1dc9ed5f59aa5d9d3f3df75097a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
363KB
MD51b0b97cb1346c496b8368b3e9622d8fd
SHA1ebe3c3f59f26d341933317dec9ed00b041c90d04
SHA25632ea7d3ceea4b73b2a98ef55aebc41581fdfad995fe9d9cc2411dedc1806f28a
SHA51205a4933ed5c5f965058c03ff00828e7bafc71966804955d7962bc6cb8ebab96a1c8f435b9157da3c2a8aa8549b0807d902820831a7ca1108f6491fa6919fe22e
-
Filesize
2KB
MD54ac1741ceb19f5a983079b2c5f344f5d
SHA1f1ebd93fbade2e035cd59e970787b8042cdd0f3b
SHA2567df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc
SHA512583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd
-
Filesize
2KB
MD5a9124c4c97cba8a07a8204fac1696c8e
SHA11f27d80280e03762c7b16781608786f5a98ff434
SHA2568ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21
SHA512537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD50b2fbd09b2be9628e6e69daaa051df23
SHA1e713cc8cc773e5f3d9a399f45d7c84ee637485ea
SHA256dc50ec5a6f59cef5c44be016620d2bfaae77f4e02392171936653e13170d49fc
SHA5123f58bf878785bc7e47e1e9cab4d34cf6fa1cd7bad5e1578af2ea89140647c7cb8f0941a1160f45183844676f2f809cc7294837119d1ae08e1fb4454e4710fbdf