Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 15:11
Static task
static1
Behavioral task
behavioral1
Sample
f389bcaede3b4275e90f2d9ff0e50a57.exe
Resource
win7-en-20210920
General
-
Target
f389bcaede3b4275e90f2d9ff0e50a57.exe
-
Size
42KB
-
MD5
f389bcaede3b4275e90f2d9ff0e50a57
-
SHA1
b5b8d733ef241a5e57b53c8e809dd5629d4e2a31
-
SHA256
46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b
-
SHA512
36ee862ec5f7c401b990f6bcde85bcbf48237729a4cef53c44a73bed461810107142e770e458f598ff8e08f69f295bf0314e4001d6c6d247052de82beadbb79c
Malware Config
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Nirsoft 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exe Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exesvhost.exeAdvancedRun.exeAdvancedRun.exepid process 1204 AdvancedRun.exe 1088 AdvancedRun.exe 748 svhost.exe 3760 AdvancedRun.exe 2716 AdvancedRun.exe -
Processes:
f389bcaede3b4275e90f2d9ff0e50a57.exesvhost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths f389bcaede3b4275e90f2d9ff0e50a57.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions f389bcaede3b4275e90f2d9ff0e50a57.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection f389bcaede3b4275e90f2d9ff0e50a57.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet f389bcaede3b4275e90f2d9ff0e50a57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" f389bcaede3b4275e90f2d9ff0e50a57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe = "0" f389bcaede3b4275e90f2d9ff0e50a57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe = "0" f389bcaede3b4275e90f2d9ff0e50a57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f389bcaede3b4275e90f2d9ff0e50a57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" f389bcaede3b4275e90f2d9ff0e50a57.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features f389bcaede3b4275e90f2d9ff0e50a57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" f389bcaede3b4275e90f2d9ff0e50a57.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svhost.exe = "0" svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f389bcaede3b4275e90f2d9ff0e50a57.exedescription pid process target process PID 2896 set thread context of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe -
Drops file in Windows directory 3 IoCs
Processes:
f389bcaede3b4275e90f2d9ff0e50a57.exeWerFault.exedescription ioc process File created C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe f389bcaede3b4275e90f2d9ff0e50a57.exe File opened for modification C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe f389bcaede3b4275e90f2d9ff0e50a57.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3456 748 WerFault.exe svhost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
powershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exef389bcaede3b4275e90f2d9ff0e50a57.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exeWerFault.exepid process 3952 powershell.exe 636 powershell.exe 940 powershell.exe 1204 AdvancedRun.exe 1204 AdvancedRun.exe 1204 AdvancedRun.exe 1204 AdvancedRun.exe 3952 powershell.exe 636 powershell.exe 940 powershell.exe 1088 AdvancedRun.exe 1088 AdvancedRun.exe 1088 AdvancedRun.exe 1088 AdvancedRun.exe 940 powershell.exe 636 powershell.exe 3952 powershell.exe 1848 powershell.exe 1848 powershell.exe 1848 powershell.exe 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe 3760 AdvancedRun.exe 3760 AdvancedRun.exe 3760 AdvancedRun.exe 3760 AdvancedRun.exe 1572 powershell.exe 612 powershell.exe 1324 powershell.exe 2716 AdvancedRun.exe 2716 AdvancedRun.exe 2716 AdvancedRun.exe 2716 AdvancedRun.exe 1572 powershell.exe 612 powershell.exe 1324 powershell.exe 1572 powershell.exe 612 powershell.exe 4024 powershell.exe 1324 powershell.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 4024 powershell.exe 4024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
f389bcaede3b4275e90f2d9ff0e50a57.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exesvhost.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeWerFault.exepowershell.exedescription pid process Token: SeDebugPrivilege 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 3952 powershell.exe Token: SeDebugPrivilege 1204 AdvancedRun.exe Token: SeImpersonatePrivilege 1204 AdvancedRun.exe Token: SeDebugPrivilege 1088 AdvancedRun.exe Token: SeImpersonatePrivilege 1088 AdvancedRun.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeDebugPrivilege 748 svhost.exe Token: SeDebugPrivilege 3760 AdvancedRun.exe Token: SeImpersonatePrivilege 3760 AdvancedRun.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 2716 AdvancedRun.exe Token: SeImpersonatePrivilege 2716 AdvancedRun.exe Token: SeRestorePrivilege 3456 WerFault.exe Token: SeBackupPrivilege 3456 WerFault.exe Token: SeBackupPrivilege 3456 WerFault.exe Token: SeDebugPrivilege 4024 powershell.exe Token: SeDebugPrivilege 3456 WerFault.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
f389bcaede3b4275e90f2d9ff0e50a57.exeAdvancedRun.exef389bcaede3b4275e90f2d9ff0e50a57.exesvhost.exeAdvancedRun.exedescription pid process target process PID 2896 wrote to memory of 3952 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 3952 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 3952 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 636 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 636 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 636 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 940 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 940 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 940 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 1204 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe AdvancedRun.exe PID 2896 wrote to memory of 1204 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe AdvancedRun.exe PID 2896 wrote to memory of 1204 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe AdvancedRun.exe PID 1204 wrote to memory of 1088 1204 AdvancedRun.exe AdvancedRun.exe PID 1204 wrote to memory of 1088 1204 AdvancedRun.exe AdvancedRun.exe PID 1204 wrote to memory of 1088 1204 AdvancedRun.exe AdvancedRun.exe PID 2896 wrote to memory of 1848 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 1848 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 1848 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe powershell.exe PID 2896 wrote to memory of 3452 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3452 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3452 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 2896 wrote to memory of 3236 2896 f389bcaede3b4275e90f2d9ff0e50a57.exe f389bcaede3b4275e90f2d9ff0e50a57.exe PID 3236 wrote to memory of 1204 3236 f389bcaede3b4275e90f2d9ff0e50a57.exe schtasks.exe PID 3236 wrote to memory of 1204 3236 f389bcaede3b4275e90f2d9ff0e50a57.exe schtasks.exe PID 3236 wrote to memory of 1204 3236 f389bcaede3b4275e90f2d9ff0e50a57.exe schtasks.exe PID 3236 wrote to memory of 748 3236 f389bcaede3b4275e90f2d9ff0e50a57.exe svhost.exe PID 3236 wrote to memory of 748 3236 f389bcaede3b4275e90f2d9ff0e50a57.exe svhost.exe PID 3236 wrote to memory of 748 3236 f389bcaede3b4275e90f2d9ff0e50a57.exe svhost.exe PID 748 wrote to memory of 1572 748 svhost.exe powershell.exe PID 748 wrote to memory of 1572 748 svhost.exe powershell.exe PID 748 wrote to memory of 1572 748 svhost.exe powershell.exe PID 748 wrote to memory of 612 748 svhost.exe powershell.exe PID 748 wrote to memory of 612 748 svhost.exe powershell.exe PID 748 wrote to memory of 612 748 svhost.exe powershell.exe PID 748 wrote to memory of 1324 748 svhost.exe powershell.exe PID 748 wrote to memory of 1324 748 svhost.exe powershell.exe PID 748 wrote to memory of 1324 748 svhost.exe powershell.exe PID 748 wrote to memory of 3760 748 svhost.exe AdvancedRun.exe PID 748 wrote to memory of 3760 748 svhost.exe AdvancedRun.exe PID 748 wrote to memory of 3760 748 svhost.exe AdvancedRun.exe PID 3760 wrote to memory of 2716 3760 AdvancedRun.exe AdvancedRun.exe PID 3760 wrote to memory of 2716 3760 AdvancedRun.exe AdvancedRun.exe PID 3760 wrote to memory of 2716 3760 AdvancedRun.exe AdvancedRun.exe PID 748 wrote to memory of 4024 748 svhost.exe powershell.exe PID 748 wrote to memory of 4024 748 svhost.exe powershell.exe PID 748 wrote to memory of 4024 748 svhost.exe powershell.exe PID 748 wrote to memory of 3040 748 svhost.exe svhost.exe PID 748 wrote to memory of 3040 748 svhost.exe svhost.exe PID 748 wrote to memory of 3040 748 svhost.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe"C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe"1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exe" /SpecialRun 4101d8 12043⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exeC:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exeC:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\svhost.exe'"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svhost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exe" /SpecialRun 4101d8 37605⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svhost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 23204⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f389bcaede3b4275e90f2d9ff0e50a57.exe.logMD5
d2c1af476959466e5dd564b1fbf7830c
SHA1910620a034bafb76ae6b49b6035af404b35ea611
SHA2565e360a32978393fa5982d3c8d105f8ecf9e28dc243fca579b2e8599d792ad9bc
SHA51281cf772adc9fb08214a4d4df5f069177de8fe74fb5d23af6c4652100fce478d9a1759c4d0999b67a109a3f96050f4d941fe69ed88100f563a5ec7639d3f08df9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f
SHA1cc38cfcd0b4265eb2200f105c9ae46b3809beb72
SHA256b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a
SHA512ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
deea6eda5ba6dccfadc32922cfbaa16e
SHA1949742cf59445f35500645c730785bab8cac586f
SHA256921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0
SHA5124240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
deea6eda5ba6dccfadc32922cfbaa16e
SHA1949742cf59445f35500645c730785bab8cac586f
SHA256921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0
SHA5124240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
deea6eda5ba6dccfadc32922cfbaa16e
SHA1949742cf59445f35500645c730785bab8cac586f
SHA256921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0
SHA5124240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f
SHA1cc38cfcd0b4265eb2200f105c9ae46b3809beb72
SHA256b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a
SHA512ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f247f6f9064386b0cb9b0327d36262ae
SHA1803455c33274d2dec564ce6e0433871956872f45
SHA25693410c78110c0e643b33e202740ed8bf904c1518c4cf4e8d164010d5104ec602
SHA5124fbc881951ce4e6335766851960cdb57169d5eb02ead2d3ac9c1e7f62ee1666b0c88359c79f48d20e1c6a336362f75866d3d8b7d366bfbf77b8d2b6639eb66bd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2bcee48e17b02588428b2494965f9f26
SHA1aded02ec67c5dcf830b0b43e7ff7bf1d2fcc8840
SHA25673b3040d8fe78637e35397ba0ec812247e7a5f4bfabd6747acb19897d55911a1
SHA51238ed64f552c33fad0da95daac89b861a289200066c6b4a935067dadba78020b5e8c31773c9ee6ba1428d8dc3e87ff278284dc47664574353dfa0a4fcce265678
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2bcee48e17b02588428b2494965f9f26
SHA1aded02ec67c5dcf830b0b43e7ff7bf1d2fcc8840
SHA25673b3040d8fe78637e35397ba0ec812247e7a5f4bfabd6747acb19897d55911a1
SHA51238ed64f552c33fad0da95daac89b861a289200066c6b4a935067dadba78020b5e8c31773c9ee6ba1428d8dc3e87ff278284dc47664574353dfa0a4fcce265678
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
aec6cc1b50f8a5575f5fa2969a79c411
SHA1c983c46f28ac9d115a7169cdb690c5e129326dba
SHA2562d707a4b53392baa2374b9c823adc3dafac837432b5f6e5f058a7e86e5307f62
SHA512fdff8dc7024d6866ecfa8bbfe92f1879363a53eab657e6e06f730259007a371ee506cabd43e48f1d404b3b96ca10142520df20111607c27f86ab214e355a8de8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
aec6cc1b50f8a5575f5fa2969a79c411
SHA1c983c46f28ac9d115a7169cdb690c5e129326dba
SHA2562d707a4b53392baa2374b9c823adc3dafac837432b5f6e5f058a7e86e5307f62
SHA512fdff8dc7024d6866ecfa8bbfe92f1879363a53eab657e6e06f730259007a371ee506cabd43e48f1d404b3b96ca10142520df20111607c27f86ab214e355a8de8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
aec6cc1b50f8a5575f5fa2969a79c411
SHA1c983c46f28ac9d115a7169cdb690c5e129326dba
SHA2562d707a4b53392baa2374b9c823adc3dafac837432b5f6e5f058a7e86e5307f62
SHA512fdff8dc7024d6866ecfa8bbfe92f1879363a53eab657e6e06f730259007a371ee506cabd43e48f1d404b3b96ca10142520df20111607c27f86ab214e355a8de8
-
C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\73ab7f40-f5cf-470c-9733-07f647b37cde\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\cadcc949-4802-40e8-a9e2-d95832a5510e\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Roaming\svhost.exeMD5
f389bcaede3b4275e90f2d9ff0e50a57
SHA1b5b8d733ef241a5e57b53c8e809dd5629d4e2a31
SHA25646de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b
SHA51236ee862ec5f7c401b990f6bcde85bcbf48237729a4cef53c44a73bed461810107142e770e458f598ff8e08f69f295bf0314e4001d6c6d247052de82beadbb79c
-
C:\Users\Admin\AppData\Roaming\svhost.exeMD5
f389bcaede3b4275e90f2d9ff0e50a57
SHA1b5b8d733ef241a5e57b53c8e809dd5629d4e2a31
SHA25646de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b
SHA51236ee862ec5f7c401b990f6bcde85bcbf48237729a4cef53c44a73bed461810107142e770e458f598ff8e08f69f295bf0314e4001d6c6d247052de82beadbb79c
-
memory/612-790-0x0000000000000000-mapping.dmp
-
memory/612-1519-0x0000000004C53000-0x0000000004C54000-memory.dmpFilesize
4KB
-
memory/612-887-0x0000000004C52000-0x0000000004C53000-memory.dmpFilesize
4KB
-
memory/612-883-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/612-1311-0x000000007EA80000-0x000000007EA81000-memory.dmpFilesize
4KB
-
memory/636-141-0x0000000007062000-0x0000000007063000-memory.dmpFilesize
4KB
-
memory/636-155-0x00000000081D0000-0x00000000081D1000-memory.dmpFilesize
4KB
-
memory/636-224-0x000000007E760000-0x000000007E761000-memory.dmpFilesize
4KB
-
memory/636-127-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/636-167-0x0000000008830000-0x0000000008831000-memory.dmpFilesize
4KB
-
memory/636-170-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/636-139-0x0000000007060000-0x0000000007061000-memory.dmpFilesize
4KB
-
memory/636-122-0x0000000000000000-mapping.dmp
-
memory/636-126-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/636-194-0x00000000095F0000-0x0000000009623000-memory.dmpFilesize
204KB
-
memory/636-260-0x0000000007063000-0x0000000007064000-memory.dmpFilesize
4KB
-
memory/748-650-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/748-610-0x0000000000000000-mapping.dmp
-
memory/940-146-0x00000000071F0000-0x00000000071F1000-memory.dmpFilesize
4KB
-
memory/940-143-0x0000000006552000-0x0000000006553000-memory.dmpFilesize
4KB
-
memory/940-232-0x000000007F060000-0x000000007F061000-memory.dmpFilesize
4KB
-
memory/940-152-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/940-161-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/940-124-0x0000000000000000-mapping.dmp
-
memory/940-262-0x0000000006553000-0x0000000006554000-memory.dmpFilesize
4KB
-
memory/940-130-0x0000000004040000-0x0000000004041000-memory.dmpFilesize
4KB
-
memory/940-131-0x0000000004040000-0x0000000004041000-memory.dmpFilesize
4KB
-
memory/940-164-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/940-149-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/940-174-0x0000000004040000-0x0000000004041000-memory.dmpFilesize
4KB
-
memory/940-142-0x0000000006550000-0x0000000006551000-memory.dmpFilesize
4KB
-
memory/1088-159-0x0000000000000000-mapping.dmp
-
memory/1204-144-0x0000000000000000-mapping.dmp
-
memory/1204-587-0x0000000000000000-mapping.dmp
-
memory/1324-802-0x0000000000000000-mapping.dmp
-
memory/1324-878-0x00000000073E2000-0x00000000073E3000-memory.dmpFilesize
4KB
-
memory/1324-1316-0x000000007F740000-0x000000007F741000-memory.dmpFilesize
4KB
-
memory/1324-1514-0x00000000073E3000-0x00000000073E4000-memory.dmpFilesize
4KB
-
memory/1324-868-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/1572-1270-0x000000007E120000-0x000000007E121000-memory.dmpFilesize
4KB
-
memory/1572-781-0x0000000000000000-mapping.dmp
-
memory/1572-1517-0x0000000006943000-0x0000000006944000-memory.dmpFilesize
4KB
-
memory/1572-863-0x0000000006940000-0x0000000006941000-memory.dmpFilesize
4KB
-
memory/1572-872-0x0000000006942000-0x0000000006943000-memory.dmpFilesize
4KB
-
memory/1848-182-0x0000000000000000-mapping.dmp
-
memory/1848-190-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/1848-465-0x00000000067A3000-0x00000000067A4000-memory.dmpFilesize
4KB
-
memory/1848-239-0x00000000067A2000-0x00000000067A3000-memory.dmpFilesize
4KB
-
memory/1848-235-0x00000000067A0000-0x00000000067A1000-memory.dmpFilesize
4KB
-
memory/1848-414-0x000000007E110000-0x000000007E111000-memory.dmpFilesize
4KB
-
memory/1848-192-0x0000000002940000-0x0000000002941000-memory.dmpFilesize
4KB
-
memory/2716-895-0x0000000000000000-mapping.dmp
-
memory/2896-118-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/2896-119-0x0000000006270000-0x00000000062D1000-memory.dmpFilesize
388KB
-
memory/2896-120-0x00000000068B0000-0x00000000068B1000-memory.dmpFilesize
4KB
-
memory/2896-115-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/2896-117-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/2896-135-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/2896-137-0x0000000006480000-0x0000000006481000-memory.dmpFilesize
4KB
-
memory/3236-211-0x000000000040810E-mapping.dmp
-
memory/3236-330-0x00000000054D0000-0x00000000054D1000-memory.dmpFilesize
4KB
-
memory/3760-837-0x0000000000000000-mapping.dmp
-
memory/3952-229-0x000000007E290000-0x000000007E291000-memory.dmpFilesize
4KB
-
memory/3952-133-0x00000000074A0000-0x00000000074A1000-memory.dmpFilesize
4KB
-
memory/3952-263-0x0000000006E63000-0x0000000006E64000-memory.dmpFilesize
4KB
-
memory/3952-138-0x0000000006E60000-0x0000000006E61000-memory.dmpFilesize
4KB
-
memory/3952-128-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/3952-125-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/3952-123-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/3952-140-0x0000000006E62000-0x0000000006E63000-memory.dmpFilesize
4KB
-
memory/3952-121-0x0000000000000000-mapping.dmp
-
memory/3952-171-0x00000000047F0000-0x00000000047F1000-memory.dmpFilesize
4KB
-
memory/4024-1501-0x0000000006973000-0x0000000006974000-memory.dmpFilesize
4KB
-
memory/4024-1030-0x0000000000000000-mapping.dmp
-
memory/4024-1086-0x0000000006970000-0x0000000006971000-memory.dmpFilesize
4KB
-
memory/4024-1092-0x0000000006972000-0x0000000006973000-memory.dmpFilesize
4KB