Overview
overview
10Static
static
7Loaderldsaldls.exe
windows10-1703-x64
10⌚/output.exe
windows10-1703-x64
⌚/output2.exe
windows10-1703-x64
Source/QtG...re.dll
windows10-1703-x64
1Source/QtG...lur.js
windows10-1703-x64
3Source/QtQ...yle.js
windows10-1703-x64
3Source/QtQ...yle.js
windows10-1703-x64
3Source/QtQ...yle.js
windows10-1703-x64
3Source/QtQ...yle.js
windows10-1703-x64
3Source/QtQ...yle.js
windows10-1703-x64
3Source/QtQ...yle.js
windows10-1703-x64
4Source/QtQ...in.dll
windows10-1703-x64
1Source/QtQ...iew.js
windows10-1703-x64
3Source/QtQ...iew.js
windows10-1703-x64
3Source/QtQ...umn.js
windows10-1703-x64
3Source/QtQ...rea.js
windows10-1703-x64
3Source/QtQ...iew.js
windows10-1703-x64
3Source/QtQ...in.dll
windows10-1703-x64
1Source/QtQ...in.dll
windows10-1703-x64
1Source/QtQ...in.dll
windows10-1703-x64
1Source/QtQ...in.dll
windows10-1703-x64
1Source/QtW...in.dll
windows10-1703-x64
1Source/QtW...as.dll
windows10-1703-x64
1Source/aud...pi.dll
windows10-1703-x64
1Source/aud...ws.dll
windows10-1703-x64
1Source/ima...if.dll
windows10-1703-x64
1Source/ima...co.dll
windows10-1703-x64
1Source/ima...eg.dll
windows10-1703-x64
1Source/ima...vg.dll
windows10-1703-x64
1Source/ima...bp.dll
windows10-1703-x64
1Source/pla...ws.dll
windows10-1703-x64
1Source/sty...le.dll
windows10-1703-x64
1Analysis
-
max time kernel
306s -
max time network
326s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 23:36
Behavioral task
behavioral1
Sample
Loaderldsaldls.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
⌚/output.exe
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
⌚/output2.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Source/QtGraphicalEffects/Qt5WebEngineCore.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Source/QtGraphicalEffects/RadialBlur.js
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
Source/QtQuick/Controls/Styles/Base/StatusIndicatorStyle.js
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
Source/QtQuick/Controls/Styles/Desktop/ComboBoxStyle.js
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
Source/QtQuick/Controls/Styles/Desktop/GroupBoxStyle.js
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
Source/QtQuick/Controls/Styles/Desktop/MenuStyle.js
Resource
win10-20240611-en
Behavioral task
behavioral10
Sample
Source/QtQuick/Controls/Styles/Desktop/SpinBoxStyle.js
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
Source/QtQuick/Controls/Styles/Desktop/TreeViewStyle.js
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
Source/QtQuick/Controls/Styles/Flat/qtquickextrasflatplugin.dll
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
Source/QtQuick/Controls/TabView.js
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
Source/QtQuick/Controls/TableView.js
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
Source/QtQuick/Controls/TableViewColumn.js
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Source/QtQuick/Controls/TextArea.js
Resource
win10-20240611-en
Behavioral task
behavioral17
Sample
Source/QtQuick/Controls/TreeView.js
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
Source/QtQuick/Controls/qtquickcontrolsplugin.dll
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
Source/QtQuick/Layouts/qquicklayoutsplugin.dll
Resource
win10-20240404-en
Behavioral task
behavioral20
Sample
Source/QtQuick/Templates.2/qtquicktemplates2plugin.dll
Resource
win10-20240404-en
Behavioral task
behavioral21
Sample
Source/QtQuick/Window.2/windowplugin.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
Source/QtWebEngine/qtwebengineplugin.dll
Resource
win10-20240404-en
Behavioral task
behavioral23
Sample
Source/QtWinExtras/qml_winextras.dll
Resource
win10-20240611-en
Behavioral task
behavioral24
Sample
Source/audio/qtaudio_wasapi.dll
Resource
win10-20240404-en
Behavioral task
behavioral25
Sample
Source/audio/qtaudio_windows.dll
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
Source/imageformats/qgif.dll
Resource
win10-20240404-en
Behavioral task
behavioral27
Sample
Source/imageformats/qico.dll
Resource
win10-20240404-en
Behavioral task
behavioral28
Sample
Source/imageformats/qjpeg.dll
Resource
win10-20240404-en
Behavioral task
behavioral29
Sample
Source/imageformats/qsvg.dll
Resource
win10-20240611-en
Behavioral task
behavioral30
Sample
Source/imageformats/qwebp.dll
Resource
win10-20240404-en
Behavioral task
behavioral31
Sample
Source/platforms/qwindows.dll
Resource
win10-20240404-en
Behavioral task
behavioral32
Sample
Source/styles/qwindowsvistastyle.dll
Resource
win10-20240611-en
General
-
Target
Loaderldsaldls.exe
-
Size
667.6MB
-
MD5
4d7ef45e0306a1affb7bf13a8d4df52a
-
SHA1
b61beea3033558114e5a158742b2e54a46ee432a
-
SHA256
55c958d034353bdcb6de3ac799e3df870ab56e8aef1cfb215ed853f178ad11c5
-
SHA512
7200fcc6d431a148aa683b4f2e4cbfe07a66ed260685ef12ecee5fecd1d7e48c51e6e822f47e4e9921cac5422a30aa8933a956991e00425f1a797fd4d26e5f6a
-
SSDEEP
98304:pojXoXU7jjY7cYq5uGfUTHrZ2UZX40Dp+nShHhFuyWf2+UX50aV+K6d+GV/F:pU6Sjc796e1B4+/VXuyM2TX2+6oq
Malware Config
Extracted
lumma
https://piedsiggnycliquieaw.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
output.exeupdate.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ output.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ update.exe -
XMRig Miner payload 32 IoCs
Processes:
resource yara_rule behavioral1/memory/828-235-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-241-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-243-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-240-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-236-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-244-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-242-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-252-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-255-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-256-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-257-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-258-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-259-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-260-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-261-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-262-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-263-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-266-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-267-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-268-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-270-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-271-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-269-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-272-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-273-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-274-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-275-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-276-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-278-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-277-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-279-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/828-280-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1348 powershell.exe 1876 powershell.exe -
Creates new service(s) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
output.exeupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion output.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion update.exe -
Executes dropped EXE 3 IoCs
Processes:
output.exeoutput2.exeupdate.exepid process 1912 output.exe 344 output2.exe 504 update.exe -
Processes:
resource yara_rule behavioral1/memory/1912-5-0x00007FF682940000-0x00007FF68310D000-memory.dmp themida behavioral1/memory/1912-4-0x00007FF682940000-0x00007FF68310D000-memory.dmp themida behavioral1/memory/1912-6-0x00007FF682940000-0x00007FF68310D000-memory.dmp themida behavioral1/memory/1912-7-0x00007FF682940000-0x00007FF68310D000-memory.dmp themida behavioral1/memory/1912-52-0x00007FF682940000-0x00007FF68310D000-memory.dmp themida behavioral1/memory/1912-64-0x00007FF682940000-0x00007FF68310D000-memory.dmp themida behavioral1/memory/504-68-0x00007FF653A00000-0x00007FF6541CD000-memory.dmp themida behavioral1/memory/504-69-0x00007FF653A00000-0x00007FF6541CD000-memory.dmp themida behavioral1/memory/504-71-0x00007FF653A00000-0x00007FF6541CD000-memory.dmp themida behavioral1/memory/504-70-0x00007FF653A00000-0x00007FF6541CD000-memory.dmp themida behavioral1/memory/504-239-0x00007FF653A00000-0x00007FF6541CD000-memory.dmp themida -
Processes:
resource yara_rule behavioral1/memory/828-235-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-234-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-241-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-243-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-240-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-233-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-232-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-230-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-236-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-244-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-242-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-231-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-252-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-255-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-256-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-257-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-258-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-259-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-260-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-261-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-262-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-263-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-266-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-267-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-268-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-270-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-271-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-269-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-272-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-273-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-274-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-275-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-276-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-278-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-277-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-279-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/828-280-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Processes:
output.exeupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA output.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA update.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 1040 powercfg.exe 4068 powercfg.exe 3032 powercfg.exe 3588 powercfg.exe 3044 powercfg.exe 5092 powercfg.exe 8 powercfg.exe 4204 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
output.exepowershell.exeupdate.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe output.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe update.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
output2.exeupdate.exedescription pid process target process PID 344 set thread context of 4856 344 output2.exe RegAsm.exe PID 504 set thread context of 4804 504 update.exe conhost.exe PID 504 set thread context of 828 504 update.exe conhost.exe -
Drops file in Windows directory 6 IoCs
Processes:
taskmgr.exetaskmgr.exetaskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1092 sc.exe 1512 sc.exe 4208 sc.exe 3428 sc.exe 1704 sc.exe 4728 sc.exe 4896 sc.exe 2912 sc.exe 2324 sc.exe 2260 sc.exe 2332 sc.exe 1088 sc.exe 2968 sc.exe 648 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2136 344 WerFault.exe output2.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
output.exepowershell.exeupdate.exepowershell.execonhost.exetaskmgr.exepid process 1912 output.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 1912 output.exe 504 update.exe 1876 powershell.exe 1876 powershell.exe 1876 powershell.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 504 update.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 828 conhost.exe 3708 taskmgr.exe 3708 taskmgr.exe 828 conhost.exe 828 conhost.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3708 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetaskmgr.exetaskmgr.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1348 powershell.exe Token: SeIncreaseQuotaPrivilege 1348 powershell.exe Token: SeSecurityPrivilege 1348 powershell.exe Token: SeTakeOwnershipPrivilege 1348 powershell.exe Token: SeLoadDriverPrivilege 1348 powershell.exe Token: SeSystemProfilePrivilege 1348 powershell.exe Token: SeSystemtimePrivilege 1348 powershell.exe Token: SeProfSingleProcessPrivilege 1348 powershell.exe Token: SeIncBasePriorityPrivilege 1348 powershell.exe Token: SeCreatePagefilePrivilege 1348 powershell.exe Token: SeBackupPrivilege 1348 powershell.exe Token: SeRestorePrivilege 1348 powershell.exe Token: SeShutdownPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeSystemEnvironmentPrivilege 1348 powershell.exe Token: SeRemoteShutdownPrivilege 1348 powershell.exe Token: SeUndockPrivilege 1348 powershell.exe Token: SeManageVolumePrivilege 1348 powershell.exe Token: 33 1348 powershell.exe Token: 34 1348 powershell.exe Token: 35 1348 powershell.exe Token: 36 1348 powershell.exe Token: SeShutdownPrivilege 3588 powercfg.exe Token: SeCreatePagefilePrivilege 3588 powercfg.exe Token: SeShutdownPrivilege 4068 powercfg.exe Token: SeCreatePagefilePrivilege 4068 powercfg.exe Token: SeShutdownPrivilege 3032 powercfg.exe Token: SeCreatePagefilePrivilege 3032 powercfg.exe Token: SeShutdownPrivilege 3044 powercfg.exe Token: SeCreatePagefilePrivilege 3044 powercfg.exe Token: SeDebugPrivilege 1876 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1876 powershell.exe Token: SeIncreaseQuotaPrivilege 1876 powershell.exe Token: SeSecurityPrivilege 1876 powershell.exe Token: SeTakeOwnershipPrivilege 1876 powershell.exe Token: SeLoadDriverPrivilege 1876 powershell.exe Token: SeSystemtimePrivilege 1876 powershell.exe Token: SeBackupPrivilege 1876 powershell.exe Token: SeRestorePrivilege 1876 powershell.exe Token: SeShutdownPrivilege 1876 powershell.exe Token: SeSystemEnvironmentPrivilege 1876 powershell.exe Token: SeUndockPrivilege 1876 powershell.exe Token: SeManageVolumePrivilege 1876 powershell.exe Token: SeLockMemoryPrivilege 828 conhost.exe Token: SeShutdownPrivilege 4204 powercfg.exe Token: SeCreatePagefilePrivilege 4204 powercfg.exe Token: SeShutdownPrivilege 1040 powercfg.exe Token: SeCreatePagefilePrivilege 1040 powercfg.exe Token: SeShutdownPrivilege 8 powercfg.exe Token: SeCreatePagefilePrivilege 8 powercfg.exe Token: SeShutdownPrivilege 5092 powercfg.exe Token: SeCreatePagefilePrivilege 5092 powercfg.exe Token: SeDebugPrivilege 3708 taskmgr.exe Token: SeSystemProfilePrivilege 3708 taskmgr.exe Token: SeCreateGlobalPrivilege 3708 taskmgr.exe Token: 33 3708 taskmgr.exe Token: SeIncBasePriorityPrivilege 3708 taskmgr.exe Token: SeDebugPrivilege 3204 taskmgr.exe Token: SeSystemProfilePrivilege 3204 taskmgr.exe Token: SeCreateGlobalPrivilege 3204 taskmgr.exe Token: 33 3204 taskmgr.exe Token: SeIncBasePriorityPrivilege 3204 taskmgr.exe Token: SeDebugPrivilege 4728 taskmgr.exe Token: SeSystemProfilePrivilege 4728 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe 3708 taskmgr.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
Loaderldsaldls.execmd.exeoutput2.execmd.execmd.exeupdate.exedescription pid process target process PID 4388 wrote to memory of 1912 4388 Loaderldsaldls.exe output.exe PID 4388 wrote to memory of 1912 4388 Loaderldsaldls.exe output.exe PID 3108 wrote to memory of 2268 3108 cmd.exe wusa.exe PID 3108 wrote to memory of 2268 3108 cmd.exe wusa.exe PID 4388 wrote to memory of 344 4388 Loaderldsaldls.exe output2.exe PID 4388 wrote to memory of 344 4388 Loaderldsaldls.exe output2.exe PID 4388 wrote to memory of 344 4388 Loaderldsaldls.exe output2.exe PID 344 wrote to memory of 1564 344 output2.exe RegAsm.exe PID 344 wrote to memory of 1564 344 output2.exe RegAsm.exe PID 344 wrote to memory of 1564 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 344 wrote to memory of 4856 344 output2.exe RegAsm.exe PID 4212 wrote to memory of 2436 4212 cmd.exe choice.exe PID 4212 wrote to memory of 2436 4212 cmd.exe choice.exe PID 1324 wrote to memory of 3588 1324 cmd.exe wusa.exe PID 1324 wrote to memory of 3588 1324 cmd.exe wusa.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 4804 504 update.exe conhost.exe PID 504 wrote to memory of 828 504 update.exe conhost.exe PID 504 wrote to memory of 828 504 update.exe conhost.exe PID 504 wrote to memory of 828 504 update.exe conhost.exe PID 504 wrote to memory of 828 504 update.exe conhost.exe PID 504 wrote to memory of 828 504 update.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loaderldsaldls.exe"C:\Users\Admin\AppData\Local\Temp\Loaderldsaldls.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\output.exeC:\Users\Admin\AppData\Roaming\output.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "ZGeniusCalc"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "ZGeniusCalc" binpath= "C:\ProgramData\GeniusCalc\update.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ZGeniusCalc"3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\output.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Users\Admin\AppData\Roaming\output2.exeC:\Users\Admin\AppData\Roaming\output2.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 3283⤵
- Program crash
-
C:\ProgramData\GeniusCalc\update.exeC:\ProgramData\GeniusCalc\update.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.priFilesize
171KB
MD530ec43ce86e297c1ee42df6209f5b18f
SHA1fe0a5ea6566502081cb23b2f0e91a3ab166aeed6
SHA2568ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4
SHA51219e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.priFilesize
2KB
MD5b8da5aac926bbaec818b15f56bb5d7f6
SHA12b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5
SHA2565be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086
SHA512c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icdjntbk.oan.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/504-239-0x00007FF653A00000-0x00007FF6541CD000-memory.dmpFilesize
7.8MB
-
memory/504-70-0x00007FF653A00000-0x00007FF6541CD000-memory.dmpFilesize
7.8MB
-
memory/504-71-0x00007FF653A00000-0x00007FF6541CD000-memory.dmpFilesize
7.8MB
-
memory/504-69-0x00007FF653A00000-0x00007FF6541CD000-memory.dmpFilesize
7.8MB
-
memory/504-68-0x00007FF653A00000-0x00007FF6541CD000-memory.dmpFilesize
7.8MB
-
memory/828-236-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-267-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-280-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-279-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-277-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-278-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-276-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-275-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-274-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-273-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-272-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-269-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-271-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-270-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-268-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-266-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-237-0x000001FD3AE00000-0x000001FD3AE20000-memory.dmpFilesize
128KB
-
memory/828-235-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-234-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-241-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-243-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-240-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-263-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-233-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-232-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-230-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-262-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-244-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-242-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-231-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-261-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-260-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-259-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-258-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-252-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-255-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-256-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/828-257-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/1348-18-0x0000024947890000-0x0000024947906000-memory.dmpFilesize
472KB
-
memory/1348-58-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmpFilesize
9.9MB
-
memory/1348-15-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmpFilesize
9.9MB
-
memory/1348-14-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmpFilesize
9.9MB
-
memory/1348-13-0x00000249475D0000-0x00000249475F2000-memory.dmpFilesize
136KB
-
memory/1348-12-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmpFilesize
4KB
-
memory/1876-94-0x000001714FEA0000-0x000001714FEBC000-memory.dmpFilesize
112KB
-
memory/1876-100-0x0000017150180000-0x0000017150239000-memory.dmpFilesize
740KB
-
memory/1876-133-0x000001714FEC0000-0x000001714FECA000-memory.dmpFilesize
40KB
-
memory/1912-6-0x00007FF682940000-0x00007FF68310D000-memory.dmpFilesize
7.8MB
-
memory/1912-5-0x00007FF682940000-0x00007FF68310D000-memory.dmpFilesize
7.8MB
-
memory/1912-52-0x00007FF682940000-0x00007FF68310D000-memory.dmpFilesize
7.8MB
-
memory/1912-4-0x00007FF682940000-0x00007FF68310D000-memory.dmpFilesize
7.8MB
-
memory/1912-7-0x00007FF682940000-0x00007FF68310D000-memory.dmpFilesize
7.8MB
-
memory/1912-64-0x00007FF682940000-0x00007FF68310D000-memory.dmpFilesize
7.8MB
-
memory/4804-226-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/4804-222-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/4804-225-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/4804-223-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/4804-224-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/4804-229-0x0000000140000000-0x000000014000D000-memory.dmpFilesize
52KB
-
memory/4856-65-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4856-63-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB