Analysis
-
max time kernel
122s -
max time network
119s -
resource
win10v191014
Task
task1
Sample
d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe
Resource
win7v191014
0 signatures
Task
task2
Sample
d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe
Resource
win10v191014
0 signatures
General
-
Target
d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc
-
Sample
191025-blt53ekjex
-
SHA256
d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc
Score
N/A
Malware Config
Signatures
-
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 4400 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4400 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4400 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4400 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4400 svchost.exe -
Program crash 32 IoCs
pid Process 324 WerFault.exe 4628 WerFault.exe 4656 WerFault.exe 4752 WerFault.exe 3792 WerFault.exe 4380 WerFault.exe 4124 WerFault.exe 772 WerFault.exe 4616 WerFault.exe 3016 WerFault.exe 756 WerFault.exe 828 WerFault.exe 3768 WerFault.exe 3896 WerFault.exe 4668 WerFault.exe 4256 WerFault.exe 4224 WerFault.exe 3844 WerFault.exe 2316 WerFault.exe 3328 WerFault.exe 3396 WerFault.exe 1504 WerFault.exe 1924 WerFault.exe 2492 WerFault.exe 4568 WerFault.exe 3812 WerFault.exe 4772 WerFault.exe 4676 WerFault.exe 1060 WerFault.exe 992 WerFault.exe 1584 WerFault.exe 4968 WerFault.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1920 wrote to memory of 324 1920 svchost.exe 75 PID 292 wrote to memory of 1688 292 SppExtComObj.exe 76 PID 1920 wrote to memory of 4628 1920 svchost.exe 80 PID 1920 wrote to memory of 4656 1920 svchost.exe 81 PID 1920 wrote to memory of 4752 1920 svchost.exe 82 PID 1920 wrote to memory of 3792 1920 svchost.exe 83 PID 1920 wrote to memory of 4380 1920 svchost.exe 84 PID 1920 wrote to memory of 4124 1920 svchost.exe 85 PID 1920 wrote to memory of 772 1920 svchost.exe 86 PID 1920 wrote to memory of 4616 1920 svchost.exe 87 PID 1920 wrote to memory of 3016 1920 svchost.exe 88 PID 1920 wrote to memory of 756 1920 svchost.exe 89 PID 1920 wrote to memory of 828 1920 svchost.exe 90 PID 1920 wrote to memory of 3768 1920 svchost.exe 91 PID 5000 wrote to memory of 4708 5000 d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe 92 PID 1920 wrote to memory of 3896 1920 svchost.exe 93 PID 1920 wrote to memory of 4668 1920 svchost.exe 94 PID 5000 wrote to memory of 4780 5000 d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe 95 PID 1920 wrote to memory of 4256 1920 svchost.exe 96 PID 1920 wrote to memory of 4224 1920 svchost.exe 97 PID 1920 wrote to memory of 3844 1920 svchost.exe 98 PID 1920 wrote to memory of 2316 1920 svchost.exe 99 PID 1920 wrote to memory of 3328 1920 svchost.exe 100 PID 1920 wrote to memory of 3396 1920 svchost.exe 101 PID 1920 wrote to memory of 1504 1920 svchost.exe 102 PID 1920 wrote to memory of 1924 1920 svchost.exe 103 PID 1920 wrote to memory of 2492 1920 svchost.exe 104 PID 1920 wrote to memory of 4568 1920 svchost.exe 105 PID 1920 wrote to memory of 3812 1920 svchost.exe 106 PID 1920 wrote to memory of 4772 1920 svchost.exe 115 PID 1920 wrote to memory of 4676 1920 svchost.exe 116 PID 1920 wrote to memory of 1060 1920 svchost.exe 117 PID 1920 wrote to memory of 992 1920 svchost.exe 118 PID 1920 wrote to memory of 1584 1920 svchost.exe 119 PID 1920 wrote to memory of 4968 1920 svchost.exe 120 -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 324 WerFault.exe 1920 svchost.exe 4628 WerFault.exe 4656 WerFault.exe 4752 WerFault.exe 3792 WerFault.exe 4380 WerFault.exe 4124 WerFault.exe 772 WerFault.exe 4616 WerFault.exe 3016 WerFault.exe 756 WerFault.exe 828 WerFault.exe 3768 WerFault.exe 5000 d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe 3896 WerFault.exe 4668 WerFault.exe 4256 WerFault.exe 4224 WerFault.exe 3844 WerFault.exe 2316 WerFault.exe 3328 WerFault.exe 3396 WerFault.exe 1504 WerFault.exe 1924 WerFault.exe 2492 WerFault.exe 4780 d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe 4568 WerFault.exe 3812 WerFault.exe 4772 WerFault.exe 4676 WerFault.exe 1060 WerFault.exe 992 WerFault.exe 1584 WerFault.exe 4968 WerFault.exe -
description ioc pid Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030753000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d5503000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 5000 d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\65d93abd-5b44-4787-b20a-693057c33140\\d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe\" --AutoStart" 5000 d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe -
Modifies service 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITScc466fa7-9ea4-4db7-bc79-061dfe8b398f" 4400 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 5112 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 5112 svchost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 1920 created 5000 1920 svchost.exe 70 PID 1920 created 4780 1920 svchost.exe 95 -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeRestorePrivilege 324 WerFault.exe Token: SeBackupPrivilege 324 WerFault.exe Token: SeDebugPrivilege 324 WerFault.exe Token: SeDebugPrivilege 4628 WerFault.exe Token: SeDebugPrivilege 4656 WerFault.exe Token: SeDebugPrivilege 4752 WerFault.exe Token: SeDebugPrivilege 3792 WerFault.exe Token: SeDebugPrivilege 4380 WerFault.exe Token: SeDebugPrivilege 4124 WerFault.exe Token: SeDebugPrivilege 772 WerFault.exe Token: SeDebugPrivilege 4616 WerFault.exe Token: SeDebugPrivilege 3016 WerFault.exe Token: SeDebugPrivilege 756 WerFault.exe Token: SeDebugPrivilege 828 WerFault.exe Token: SeDebugPrivilege 3768 WerFault.exe Token: SeDebugPrivilege 3896 WerFault.exe Token: SeDebugPrivilege 4668 WerFault.exe Token: SeDebugPrivilege 4256 WerFault.exe Token: SeDebugPrivilege 4224 WerFault.exe Token: SeDebugPrivilege 3844 WerFault.exe Token: SeDebugPrivilege 2316 WerFault.exe Token: SeDebugPrivilege 3328 WerFault.exe Token: SeDebugPrivilege 3396 WerFault.exe Token: SeDebugPrivilege 1504 WerFault.exe Token: SeDebugPrivilege 1924 WerFault.exe Token: SeDebugPrivilege 2492 WerFault.exe Token: SeDebugPrivilege 4568 WerFault.exe Token: SeDebugPrivilege 3812 WerFault.exe Token: SeDebugPrivilege 4772 WerFault.exe Token: SeDebugPrivilege 4676 WerFault.exe Token: SeDebugPrivilege 1060 WerFault.exe Token: SeDebugPrivilege 992 WerFault.exe Token: SeDebugPrivilege 1584 WerFault.exe Token: SeDebugPrivilege 4968 WerFault.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 64 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 324 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 324 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4628 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4628 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4656 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4656 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4752 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4752 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3792 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3792 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4380 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4380 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4124 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4124 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 772 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 772 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4616 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4616 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3016 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3016 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 756 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 756 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 828 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 828 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3768 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3768 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3896 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3896 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4668 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4668 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4256 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4256 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4224 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4224 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3844 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3844 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 2316 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 2316 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3328 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3328 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3396 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3396 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 1504 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 1504 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 1924 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 1924 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 2492 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 2492 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4568 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4568 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 3812 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 3812 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4912 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4912 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4772 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4772 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4676 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4676 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 1060 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 1060 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 992 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 992 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 1584 WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 1584 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe"C:\Users\Admin\AppData\Local\Temp\d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies system certificate store
- Adds Run entry to start application
PID:5000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1920
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 8641⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:324
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:1688
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost1⤵PID:2072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵PID:3088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 8841⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 8881⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 9401⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 11081⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 11481⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 14681⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 17041⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 16921⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 17201⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3016
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 14241⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 14201⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 17441⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3768
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\65d93abd-5b44-4787-b20a-693057c33140" /deny *S-1-1-0:(OI)(CI)(DE,DC)1⤵PID:4708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 18281⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 17041⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4668
-
C:\Users\Admin\AppData\Local\Temp\d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe"C:\Users\Admin\AppData\Local\Temp\d95a38a7c3ba130e354926102de8f64986d8248ee095e5e410d6ee410d74e0bc.exe" --Admin IsNotAutoStart IsNotTask1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 8201⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 8681⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 9321⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 10481⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 10961⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 10641⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 11601⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:1504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 12521⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:1924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 14721⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:2492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 15681⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 15201⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:3812
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
- Modifies service
PID:4400
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4408
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4912
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:5112
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 15161⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 15041⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 13921⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:1060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 16281⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 16681⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks system information in the registry (likely anti-VM)
PID:1584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 15521⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1130
- T1060
- T1031
- T1089